Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Your TV Link

This is a discussion on Your TV Link within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. All my browsers are infected with Yourtv.link, which redirect pages and block normal browsers behavior. I do scan with Malwarebytes


Closed Thread
 
Thread Tools Search this Thread
Old 12-29-2016, 01:34 AM   #1
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



All my browsers are infected with Yourtv.link, which redirect pages and block normal browsers behavior. I do scan with Malwarebytes Anti-Malware and AdwerCleaner, they both find it, but cleaning doesn't fix problem. Just as I open any browser, he is back. Here are log files, if this could be some help

https://www.sendspace.com/file/gbkmn5

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 11.111.2
Run by Suad at 10:10:20 on 2016-12-29
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1527.607 [GMT 1:00]
.
AV: Avira Antivirus *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\Antivirus\sched.exe
C:\Documents and Settings\Suad\Application Data\AVAST Software\Browser Cleanup\BCUSched.exe
C:\Program Files\Avira\Antivirus\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
C:\Program Files\Avira\Antivirus\avshadow.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\Antivirus\avgnt.exe
C:\Program Files\Avira\Launcher\Avira.Systray.exe
C:\Documents and Settings\Suad\Application Data\uTorrent\uTorrent.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Documents and Settings\Suad\Application Data\uTorrent\updates\3.4.9_43085\utorrentie.exe
C:\Documents and Settings\Suad\Application Data\uTorrent\updates\3.4.9_43085\utorrentie.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Documents and Settings\All Users\iobakf\iobakf.exe
C:\Program Files\EmEditor\emedtray.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yourtv.link
uSearch Bar = hxxps://www.google.com/?bcutc=sp-004-752
uSearch Page = hxxps://www.google.com/search?bcutc=sp-004-752&q={searchTerms}
mStart Page = hxxps://www.google.com/?bcutc=sp-004-752
mSearch Bar = hxxps://www.google.com/?bcutc=sp-004-752
mSearch Page = hxxps://www.google.com/search?bcutc=sp-004-752&q={searchTerms}
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_111\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_111\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\documents and settings\suad\application data\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Adobe Reader Synchronizer] "c:\program files\adobe\reader 11.0\reader\AdobeCollabSync.exe"
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [CCleaner Monitoring] "c:\program files\ccleaner\CCleaner.exe" /MONITOR
uRun: [iobakf.exe] c:\documents and settings\all users\iobakf\iobakf.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [ThpSrv] thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivirus\avgnt.exe" /min
mRun: [Avira SystrayStartTrigger] c:\program files\avira\launcher\Avira.SystrayStartTrigger.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\suad\startm~1\programs\startup\emeditor.lnk - c:\program files\emeditor\emedtray.exe
StartupFolder: c:\docume~1\suad\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\suad\startm~1\programs\startup\suad.lnk - c:\documents and settings\all users\iobakf\iobakf.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: localhost
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0067-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
TCP: Interfaces\{3D613E94-4D96-4B66-A027-6D91900CFB7C} : NameServer = 8.8.8.8 4.2.2.2
TCP: Interfaces\{DC1F581B-B8C1-4CD4-8530-19D911DCD677} : NameServer = 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\49.0.2623.112\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 0.0.0.0 fr.a2dfp.net
Hosts: 0.0.0.0 m.fr.a2dfp.net
Hosts: 0.0.0.0 mfr.a2dfp.net
Hosts: 0.0.0.0 ad.a8.net
Hosts: 0.0.0.0 asy.a8ww.net
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\suad\application data\mozilla\firefox\profiles\aex6lj8q.default-1473001184500\
FF - prefs.js: browser.search.defaulturl - hxxps://www.google.com/search?bcutc=sp-004-752
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://yourtv.link
FF - prefs.js: keyword.URL - hxxps://www.google.com/search?bcutc=sp-004-752
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.32.7\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.8.0_111\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.8.0_111\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\nokia\nokia suite\npNokiaSuiteEnabler.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_24_0_0_186.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-6-6 6144]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2015-8-8 37896]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2016-1-28 140936]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [2006-6-6 5888]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivirus\sched.exe [2015-8-8 470600]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivirus\avguard.exe [2015-8-8 470600]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2015-8-8 115600]
R2 Avira.ServiceHost;Avira Service Host;c:\program files\avira\launcher\Avira.ServiceHost.exe [2016-7-11 309384]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.EXE [2006-6-6 114688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-10-2 24448]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivirus\avwebgrd.exe [2016-10-25 1253352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-8 1136608]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2016-9-20 324224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2014-1-5 1691480]
S3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys --> c:\windows\system32\drivers\anvsnddrv.sys [?]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-6-6 35968]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2016-2-23 27064]
S4 AntiVirMailService;Avira Mail Protection;c:\program files\avira\antivirus\avmailc.exe [2016-10-25 970632]
S4 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-8 1514464]
.
=============== File Associations ===============
.
FileExt: .txt: emeditor.txt="c:\program files\emeditor\EMEDITOR.EXE" "%1"
.js: <filetype is not registered>
ShellExec: opera.exe: open="c:\program files\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2016-12-29 09:04:33 -------- d-----w- c:\documents and settings\all users\application data\Estsoft
2016-12-27 19:54:02 -------- d-----w- c:\documents and settings\suad\application data\AVAST Software
2016-12-27 12:46:32 -------- d-----w- C:\2-click run
2016-12-26 17:12:38 -------- d-sh--w- c:\documents and settings\all users\Mozilla
2016-12-20 09:19:46 -------- d-sh--w- c:\documents and settings\all users\Windows XP
2016-12-20 09:05:38 -------- d-sh--w- c:\documents and settings\all users\iobakf
2016-12-14 08:02:58 3709120 ----a-w- c:\program files\mozilla firefox\d3dcompiler_47.dll
.
==================== Find3M ====================
.
2016-12-29 07:39:39 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-12-21 12:16:43 802904 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-12-21 12:16:42 144472 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-11-22 09:07:17 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-11-22 09:07:09 160256 ----a-w- c:\windows\system32\javacpl.cpl
2016-11-08 21:30:09 5001920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
============= FINISH: 10:17:24,78 ===============


I supose pick up this thing on well known bulgarien torrent site.
Attached Files
File Type: txt attach.txt (519.6 KB, 28 views)
Suadnovic is offline  
Sponsored Links
Advertisement
 
Old 12-29-2016, 03:20 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Quote:
I supose pick up this thing on well known bulgarien torrent site
The only way to not get infected is to not go to that site.

------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    c:\documents and settings\all users\iobakf\iobakf.exe

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analysed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-29-2016, 04:59 PM   #3
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



I can't enter
c:\documents and settings\all users\iobakf\iobakf.exe
in file box at https://www.virustotal.com/, he forse me to navigate, and I can't find this file in my c:\documents and settings\all users\

Suadnovic is offline  
Sponsored Links
Advertisement
 
Old 12-29-2016, 08:25 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Suadnovic.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-30-2016, 01:01 AM   #5
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



Here is:
=======
ComboFix 16-12-15.01 - Suad 30.12.2016 9:26.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1527.935 [GMT 1:00]
Running from: c:\documents and settings\Suad\Desktop\ComboFix.exe
AV: Avira Antivirus *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Suad\LOCALS~1\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\iobakf\iobakf.exe
c:\documents and settings\All Users\ntuser.pol
c:\documents and settings\Suad\Local Settings\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\program files\compact
c:\program files\compact\Extension Renamer\App.ico
c:\program files\compact\Extension Renamer\AssemblyInfo.cs
c:\program files\compact\Extension Renamer\CompactLibrary.dll
c:\program files\compact\Extension Renamer\Extension Renamer.exe
c:\program files\compact\Extension Renamer\extIcon.ico
c:\program files\compact\Extension Renamer\extRename.csproj
c:\program files\compact\Extension Renamer\extRenamer.cs
c:\program files\compact\Extension Renamer\extRenamer.resx
c:\windows\box.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2016-11-28 to 2016-12-30 )))))))))))))))))))))))))))))))
.
.
2016-12-29 09:04 . 2016-12-29 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Estsoft
2016-12-27 19:54 . 2016-12-27 19:54 -------- d-----w- c:\documents and settings\Suad\Application Data\AVAST Software
2016-12-27 12:46 . 2016-12-27 12:46 -------- d-----w- C:\2-click run
2016-12-26 17:12 . 2016-12-27 16:36 -------- d-sh--w- c:\documents and settings\All Users\Mozilla
2016-12-20 09:19 . 2016-12-20 09:21 -------- d-sh--w- c:\documents and settings\All Users\Windows XP
2016-12-20 09:05 . 2016-12-30 08:34 -------- d-sh--w- c:\documents and settings\All Users\iobakf
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-12-29 07:39 . 2014-04-08 16:33 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-12-21 12:16 . 2015-07-15 16:55 802904 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-12-21 12:16 . 2015-07-15 16:55 144472 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-11-22 09:07 . 2014-10-21 23:41 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-11-22 09:07 . 2014-10-21 23:41 160256 ----a-w- c:\windows\system32\javacpl.cpl
2016-11-08 21:30 . 2016-11-08 21:30 5001920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2015-08-14 14:52 23520 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\documents and settings\Suad\Application Data\uTorrent\uTorrent.exe" [2016-12-17 1979072]
"Adobe Reader Synchronizer"="c:\program files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe" [2014-12-03 761064]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2016-12-15 4015216]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2016-12-06 7175384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SkyTel"="SkyTel.EXE" [2006-04-24 1448960]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-04 88204]
"TPSODDCtl"="TPSODDCtl.exe" [2006-05-19 102400]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 57344]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2006-03-06 114688]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"RTHDCPL"="RTHDCPL.EXE" [2013-10-04 20145368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-03 1021128]
"avgnt"="c:\program files\Avira\Antivirus\avgnt.exe" [2016-10-25 831576]
"Avira SystrayStartTrigger"="c:\program files\Avira\Launcher\Avira.SystrayStartTrigger.exe" [2016-07-11 67840]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Suad\Start Menu\Programs\Startup\
EmEditor.lnk - c:\program files\EmEditor\emedtray.exe [2015-2-4 122448]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr [2007-4-19 64864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaSuite.exe]
2014-11-19 11:47 1092448 ----a-w- c:\program files\Nokia\Nokia Suite\NokiaSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2016-11-15 15:34 27230168 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 17408 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"HssTrayService"=3 (0x3)
"hshld"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\FileHippo.com\\FileHippo.AppManager.exe"=
"c:\\Documents and Settings\\Suad\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EmEditor\\EmEditor.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5560:TCP"= 5560:TCP:IDM Update
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27.12.2004 23:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [6.6.2006 14:27 6144]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [8.8.2015 15:02 37896]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [28.1.2016 15:47 140936]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [6.6.2006 14:31 5888]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\Antivirus\sched.exe [8.8.2015 15:02 470600]
R2 Avira.ServiceHost;Avira Service Host;c:\program files\Avira\Launcher\Avira.ServiceHost.exe [11.7.2016 10:01 309384]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [9.10.2013 10:58 3275136]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.EXE [6.6.2006 14:31 114688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2.10.2013 7:44 24448]
S2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\Antivirus\avwebgrd.exe [25.10.2016 17:07 1253352]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [8.4.2014 17:33 1136608]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [20.9.2016 12:54 324224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5.1.2014 18:29 1691480]
S3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys --> c:\windows\system32\drivers\anvsnddrv.sys [?]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6.6.2006 14:49 35968]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [23.2.2016 15:11 27064]
S4 AntiVirMailService;Avira Mail Protection;c:\program files\Avira\Antivirus\avmailc.exe [25.10.2016 17:07 970632]
S4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [8.4.2014 17:33 1514464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-09-22 12:51 1106072 ----a-w- c:\program files\Google\Chrome\Application\49.0.2623.112\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2016-12-24 c:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job
- c:\windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_pepper.exe [2016-12-18 07:50]
.
2016-12-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-15 12:16]
.
2016-12-30 c:\windows\Tasks\avast! BCU UpdateS-1-5-21-391094972-1096999475-3888860593-1005.job
- c:\documents and settings\Suad\Application Data\AVAST Software\Browser Cleanup\BCUUpdate.exe [2016-12-27 15:12]
.
2016-12-30 c:\windows\Tasks\avastBCLS-1-5-21-391094972-1096999475-3888860593-1005.job
- c:\documents and settings\Suad\Application Data\AVAST Software\Browser Cleanup\BCUSched.exe [2016-12-27 19:54]
.
2016-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2016-09-22 12:50]
.
2016-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2016-09-22 12:50]
.
2016-12-30 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-19 01:59]
.
2016-12-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-19 01:59]
.
2016-12-30 c:\windows\Tasks\Opera scheduled Autoupdate 1478726365.job
- c:\program files\Opera\launcher.exe [2016-11-09 12:29]
.
2016-12-30 c:\windows\Tasks\User_Feed_Synchronization-{8F85813E-A342-4D93-B64D-825456CA8717}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yourtv.link
mStart Page = https://www.google.com/?bcutc=sp-004-752
mSearch Bar = https://www.google.com/?bcutc=sp-004-752
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
Trusted Zone: localhost
TCP: Interfaces\{DC1F581B-B8C1-4CD4-8530-19D911DCD677}: NameServer = 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
FF - ProfilePath - c:\documents and settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\
FF - prefs.js: browser.search.defaulturl - hxxps://www.google.com/search?bcutc=sp-004-752
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?bcutc=sp-004-752
FF - prefs.js: keyword.URL - hxxps://www.google.com/search?bcutc=sp-004-752
.
.
------- File Associations -------
.
.txt=emeditor.txt
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-iobakf.exe - c:\documents and settings\All Users\iobakf\iobakf.exe
c:\documents and settings\Suad\Start Menu\Programs\Startup\Suad.lnk - c:\documents and settings\All Users\iobakf\iobakf.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2016-12-30 09:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):2b,5d,10,78,fe,0f,ac,a6,7a,1c,3c,20,33,24,d6,45,91,c2,86,8a,53,
25,f3,ba,a0,21,1d,87,31,57,c9,e2,10,c9,19,89,47,9f,b9,6b,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_23_0_0_207_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_23_0_0_207_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d190aa2e-105d-400d-bbf3-46c366528057}]
@Denied: (Full) (Everyone)
"Model"=dword:00000091
"Therad"=dword:0000001f
"SpecVersion"=dword:00000058
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
@SACL=
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{B91B4988-2671-4C7A-9B84-5FE9E38EDDE0}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.2.42.0"
"UniqueId"="0022212E5244B788"
"ScannerBuild"=dword:00001ab4
"ScannerVersionId"=dword:00001377
"ScannerVersion"="Locked/open ESET for status."
"ei2"=hex(b):dc,e7,c9,9c,04,35,b8,dd
"ei1"=hex(b):00,18,de,13,9d,df,00,00
"ei3"=hex(b):02,b8,44,52,00,00,00,00
"ei4"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3828)
c:\windows\system32\WININET.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\program files\Internet Download Manager\IDMNetMon.DLL
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\Antivirus\avguard.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\SkyTel.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\thpsrv.exe
c:\windows\system32\TFNF5.exe
c:\windows\RTHDCPL.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\ThpSrv.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TOSHIBA\TME3\TMEEJME.EXE
c:\windows\system32\OSK.exe
c:\windows\system32\MSSWCHX.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Avira\Antivirus\avshadow.exe
c:\documents and settings\Suad\Application Data\uTorrent\updates\3.4.9_43085\utorrentie.exe
c:\documents and settings\Suad\Application Data\uTorrent\updates\3.4.9_43085\utorrentie.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\Avira\Launcher\Avira.Systray.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
.
**************************************************************************
.
Completion time: 2016-12-30 09:48:39 - machine was rebooted
ComboFix-quarantined-files.txt 2016-12-30 08:48
.
Pre-Run: 2.416.287.744 bytes free
Post-Run: 2.716.233.728 bytes free
.
- - End Of File - - 0D76775429ACA1AE4B830448435B6DAC
8F558EB6672622401DA993E1E865C861

===========
Seems to be YouTv.link is gone. I opened Firefox, Chrome and Opera, is gone!
Suadnovic is offline  
Old 12-30-2016, 02:00 AM   #6
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



It is depressing that in fact I don't know what's going on. Why is he come back if Malwarebytes Anti-Malware and AdwareCleaner foundet it and removed?
Suadnovic is offline  
Old 12-30-2016, 09:12 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Suadnovic.

Quote:
Why is he come back if Malwarebytes Anti-Malware and AdwareCleaner foundet it and removed?
That bulgarien torrent site is putting the malware on your machine. Torrent sites/files are often infected.

------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    C:\Qoobox\Quarantine\C\documents and settings\all users\iobakf\iobakf.exe.vir

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analysed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist log.txt del /s/q log.txt
dir /a /s "c:\documents and settings\All Users\iobakf" > log.txt
notepad log.txt
del %0
Save this as peek.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-30-2016, 10:34 PM   #8
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



Can't do this, iobakf.exe.vir file have 197 MB, and https://www.virustotal.com/
saz

Suadnovic is offline  
Old 12-31-2016, 12:48 AM   #9
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



For second part I have
===================

Volume in drive C has no label.
Volume Serial Number is B08C-A78C

Directory of c:\documents and settings\All Users\iobakf

30.12.2016 09:34 <DIR> .
30.12.2016 09:34 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1.666.908.160 bytes free
Suadnovic is offline  
Old 12-31-2016, 11:23 AM   #10
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



It is not fixed. On
Ofelas titlovi – Skini titlove - Titlovi.com.
click in box for Ofelas Aka Pathfinder (1987) 1 CD in english in Opera lead me to page
Reimage Repair

Also click on upload at
Subtitles - download movie and TV Series subtitles from the biggest open subtitles database
lead me to page
Reimage Repair - Speed up my PC
Suadnovic is offline  
Old 12-31-2016, 07:47 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Suadnovic.

------------------------------------------------------

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here and here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • It also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-01-2017, 12:55 AM   #12
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-12-2016
Ran by Suad (administrator) on PITAGORA (01-01-2017 09:47:55)
Running from C:\Documents and Settings\Suad\Desktop
Loaded Profiles: Suad (Available Profiles: Suad & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\sched.exe
(AVAST Software) C:\Documents and Settings\Suad\Application Data\AVAST Software\Browser Cleanup\bcusched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avguard.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(Skype Technologies S.A.) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
() C:\WINDOWS\system32\PAStiSvc.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\ThpSrv.exe
(TOSHIBA) C:\Program Files\Toshiba\TME3\TMESRV31.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avshadow.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\SkyTel.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\00THotkey.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Agere Systems) C:\WINDOWS\agrsmmsg.exe
(TOSHIBA Corporation) C:\WINDOWS\system32\ThpSrv.exe
(TOSHIBA Corp.) C:\WINDOWS\system32\TFNF5.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TouchED\TouchED.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
(Sonic Solutions) C:\WINDOWS\system32\DLA\DLACTRLW.EXE
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(TOSHIBA) C:\Program Files\Toshiba\TME3\TMEEJME.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Intel Corporation) C:\WINDOWS\system32\igfxext.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApntEx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avgnt.exe
(BitTorrent Inc.) C:\Documents and Settings\Suad\Application Data\uTorrent\uTorrent.exe
(BitTorrent Inc.) C:\Documents and Settings\Suad\Application Data\uTorrent\updates\3.4.9_43085\utorrentie.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IDMan.exe
(BitTorrent Inc.) C:\Documents and Settings\Suad\Application Data\uTorrent\updates\3.4.9_43085\utorrentie.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Emurasoft, Inc.) C:\Program Files\EmEditor\emedtray.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IEMonitor.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Intel Corporation) C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
(Nokia) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exe
(Microsoft Corporation) C:\WINDOWS\system32\osk.exe
(Microsoft Corporation) C:\WINDOWS\system32\msswchx.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SkyTel] => C:\WINDOWS\SkyTel.EXE [1448960 2006-04-24] (Realtek Semiconductor Corp.)
HKLM\...\Run: [00THotkey] => C:\WINDOWS\system32\00THotkey.exe [253952 2006-05-18] (TOSHIBA Corporation)
HKLM\...\Run: [000StTHK] => C:\WINDOWS\system32\000StTHK.exe [24576 2001-06-23] ()
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [196608 2004-03-24] (Alps Electric Co., Ltd.)
HKLM\...\Run: [AGRSMMSG] => C:\WINDOWS\AGRSMMSG.exe [88204 2006-03-04] (Agere Systems)
HKLM\...\Run: [TPSODDCtl] => C:\WINDOWS\system32\TPSODDCtl.exe [102400 2006-05-19] (TOSHIBA Corporation)
HKLM\...\Run: [ThpSrv] => thpsrv /logon
HKLM\...\Run: [TFNF5] => C:\WINDOWS\system32\TFNF5.exe [622592 2006-04-11] (TOSHIBA Corp.)
HKLM\...\Run: [TouchED] => C:\Program Files\TOSHIBA\TouchED\TouchED.Exe [102400 2005-08-31] (TOSHIBA Corporation)
HKLM\...\Run: [TOSDCR] => C:\WINDOWS\system32\TOSDCR.EXE [57344 2005-12-12] (TOSHIBA Corporation)
HKLM\...\Run: [TMESRV.EXE] => C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE [114688 2006-03-06] (TOSHIBA)
HKLM\...\Run: [TosHKCW.exe] => C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe [49152 2005-05-17] (TOSHIBA CORPORATION)
HKLM\...\Run: [DLA] => C:\WINDOWS\System32\DLA\DLACTRLW.EXE [122940 2005-10-06] (Sonic Solutions)
HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [667718 2005-12-05] (Intel Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [602182 2005-11-28] (Intel Corporation)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [20145368 2013-10-04] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-12-03] (Adobe Systems Incorporated)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\Antivirus\avgnt.exe [831576 2016-10-25] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [67840 2016-07-11] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [CFSServ.exe] => CFSServ.exe -NoClient
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\Run: [uTorrent] => C:\Documents and Settings\Suad\Application Data\uTorrent\uTorrent.exe [1979072 2016-12-17] (BitTorrent Inc.)
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [761064 2014-12-03] (Adobe Systems Incorporated)
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [4015216 2016-12-15] (Tonec Inc.)
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [7175384 2016-12-06] (Piriform Ltd)
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\Run: [NokiaSuite.exe] => C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe [1092448 2014-11-19] (Nokia)
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Internet Download Manager\IDMShellExt.dll [2015-08-14] (Tonec Inc.)
Startup: C:\Documents and Settings\Suad\Start Menu\Programs\Startup\EmEditor.lnk [2016-02-08]
ShortcutTarget: EmEditor.lnk -> C:\Program Files\EmEditor\emedtray.exe (Emurasoft, Inc.)
Startup: C:\Documents and Settings\Suad\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk [2015-07-07]
ShortcutTarget: Microsoft Office OneNote 2003 Quick Launch.lnk -> C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy\User: Restriction - Chrome <======= ATTENTION
CHR HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{3D613E94-4D96-4B66-A027-6D91900CFB7C}: [NameServer] 8.8.8.8 4.2.2.2
Tcpip\..\Interfaces\{DC1F581B-B8C1-4CD4-8530-19D911DCD677}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-004-752
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://yourtv.link
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-004-752&q={searchTerms}
SearchScopes: HKLM -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-004-752&q={searchTerms}
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2016-12-10] (Internet Download Manager, Tonec Inc.)
BHO: DriveLetterAccess -> {5CA3D70E-1895-11CF-8E15-001234567890} -> C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-10-06] (Sonic Solutions)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_111\bin\ssv.dll [2016-11-22] (Oracle Corporation)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-11-22] (Oracle Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0067-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2016-09-23] (Skype Technologies)

FireFox:
========
FF DefaultProfile: aex6lj8q.default-1473001184500
FF ProfilePath: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\41A66E7E5EE1 [not found]
FF ProfilePath: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 [2017-01-01]
FF NewTab: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 -> about:newtab
FF DefaultSearchEngine: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 -> Google
FF DefaultSearchUrl: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 -> hxxps://www.google.com/search?bcutc=sp-004-752
FF SearchEngineOrder.1: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 -> Google
FF SelectedSearchEngine: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 -> Google
FF Homepage: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 -> hxxps://www.google.com/?bcutc=sp-004-752
FF Keyword.URL: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 -> hxxps://www.google.com/search?bcutc=sp-004-752
FF Extension: (YouTube Caption Downloader) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\[email protected] [2016-09-27]
FF Extension: (Open in IE) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\[email protected] [2016-09-19]
FF Extension: (Restart) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\[email protected] [2016-10-28]
FF Extension: (Secure Login) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\[email protected] [2016-09-20]
FF Extension: (NoScript) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-11-29]
FF Extension: (Password Exporter) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}.xpi [2016-09-19]
FF Extension: (Video DownloadHelper) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-12-30]
FF Extension: (Adblock Plus) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF Extension: (Greasemonkey) - C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2016-09-20]
FF Extension: (IDM integration) - C:\Program Files\Internet Download Manager\idmmzcc2.xpi [2016-11-16]
FF SearchPlugin: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\searchplugins\Google .xml [2016-12-29]
FF SearchPlugin: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500\searchplugins\google-avast.xml [2016-12-29]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-09-27] [not signed]
FF HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\Firefox\Extensions: [[email protected]] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\SeaMonkey\Extensions: [[email protected]] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF HKU\S-1-5-21-391094972-1096999475-3888860593-1005\...\SeaMonkey\Extensions: [[email protected]] - C:\Documents and Settings\Suad\Application Data\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Documents and Settings\Suad\Application Data\IDM\idmmzcc5 [2016-12-30] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-21] ()
FF Plugin: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-11-22] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-11-22] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @nokia.com/EnablerPlugin -> C:\Program Files\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll [2014-11-19] ( )
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default [2017-01-01]
CHR Extension: (Google Slides) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-09-22]
CHR Extension: (Google Docs) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-09-22]
CHR Extension: (Google Drive) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-09-22]
CHR Extension: (YouTube) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-09-22]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-09-22]
CHR Extension: (Avira Browser Safety) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-09-22]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-09-22]
CHR Extension: (IDM Integration Module) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2016-12-17]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-22]
CHR Extension: (Fast search) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbdpajcdgknpendpmecafmopknefafha [2016-12-27]
CHR Extension: (Gmail) - C:\Documents and Settings\Suad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-09-22]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2016-12-15]

Opera:
=======
OPR StartupUrls: "hxxp://www.google.com/"
OPR Extension: (SingleClick Cleaner) - C:\Documents and Settings\Suad\Application Data\Opera Software\Opera Stable\Extensions\mpngheackobblplgchdmjiflbfokmoen [2016-12-29]
OPR Extension: (Fast search) - C:\Documents and Settings\Suad\Application Data\Opera Software\Opera Stable\Extensions\pbdpajcdgknpendpmecafmopknefafha [2016-12-27]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AntiVirMailService; C:\Program Files\Avira\Antivirus\avmailc.exe [970632 2016-10-25] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\Antivirus\sched.exe [470600 2016-10-25] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\Antivirus\avguard.exe [470600 2016-10-25] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\Antivirus\AVWEBGRD.EXE [1253352 2016-10-25] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [309384 2016-07-11] (Avira Operations GmbH & Co. KG)
R2 CFSvcs; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2005-01-18] (TOSHIBA CORPORATION) [File not signed]
R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [114753 2005-11-28] (Intel Corporation) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S4 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [217164 2005-11-28] (Intel Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [540745 2005-11-28] (Intel Corporation ) [File not signed]
R2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 STI Simulator; C:\WINDOWS\System32\PAStiSvc.exe [53248 2005-01-14] () [File not signed]
R2 Thpsrv; C:\WINDOWS\system32\ThpSrv.exe [167936 2006-05-18] (TOSHIBA Corporation) [File not signed]
R2 Tmesrv; C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe [114688 2006-03-06] (TOSHIBA) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21275 2013-09-26] (Meetinghouse Data Communications) [File not signed]
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [115600 2016-07-25] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [140272 2016-07-25] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\System32\DRIVERS\avkmgr.sys [37896 2015-07-15] (Avira Operations GmbH & Co. KG)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R2 DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [25628 2005-10-06] (Sonic Solutions) [File not signed]
R1 DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions) [File not signed]
R2 DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2496 2005-10-06] (Sonic Solutions) [File not signed]
R2 DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [86524 2005-10-06] (Sonic Solutions) [File not signed]
R2 DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [14684 2005-10-06] (Sonic Solutions) [File not signed]
R2 DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [6364 2005-10-06] (Sonic Solutions) [File not signed]
R1 DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions) [File not signed]
R2 DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [94332 2005-10-06] (Sonic Solutions) [File not signed]
R2 DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [87036 2005-10-06] (Sonic Solutions) [File not signed]
R0 DRVMCDB; C:\WINDOWS\System32\Drivers\DRVMCDB.SYS [89264 2005-09-12] (Sonic Solutions) [File not signed]
R2 DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions) [File not signed]
R1 IDMTDI; C:\WINDOWS\System32\DRIVERS\idmtdi.sys [140936 2016-09-21] (Tonec Inc.)
S3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [35968 2005-06-10] (Infineon Technologies AG)
R3 Iviaspi; C:\WINDOWS\System32\drivers\iviaspi.sys [21060 2003-09-10] (InterVideo, Inc.) [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R2 Netdevio; C:\WINDOWS\System32\DRIVERS\netdevio.sys [12032 2003-01-29] (TOSHIBA Corporation.) [File not signed]
R3 Pfc; C:\WINDOWS\System32\drivers\pfc.sys [10368 2003-09-19] (Padus, Inc.) [File not signed]
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20640 2005-04-25] (Sonic Solutions) [File not signed]
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [13568 2005-11-28] (Intel Corporation) [File not signed]
S3 SoC PC-Camera Service; C:\WINDOWS\System32\DRIVERS\pfc027.sys [136832 2004-06-17] () [File not signed]
S3 taphss; C:\WINDOWS\System32\DRIVERS\taphss.sys [33512 2015-08-21] (AnchorFree Inc)
R0 Thpdrv; C:\WINDOWS\System32\DRIVERS\thpdrv.sys [16384 2004-12-27] (TOSHIBA Corporation) [File not signed]
R1 TMEI3E; C:\WINDOWS\System32\Drivers\TMEI3E.SYS [5888 2004-06-16] (Toshiba Corporation) [File not signed]
R3 tosrfec; C:\WINDOWS\System32\DRIVERS\tosrfec.sys [9344 2005-09-09] (TOSHIBA Corporation) [File not signed]
R0 TVALZ; C:\WINDOWS\System32\DRIVERS\TVALZ.SYS [16768 2005-12-26] (TOSHIBA Corporation) [File not signed]
R3 w39n51; C:\WINDOWS\System32\DRIVERS\w39n51.sys [1428096 2005-12-05] (Intel® Corporation)
S3 anvsnddrv; system32\drivers\anvsnddrv.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 Tosrfcom; C:\Windows\System32\Drivers\Tosrfcom.sys [64896 2005-08-01] (TOSHIBA Corporation) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-01 09:47 - 2017-01-01 09:49 - 00028050 _____ C:\Documents and Settings\Suad\Desktop\FRST.txt
2017-01-01 09:46 - 2017-01-01 09:46 - 01762816 _____ (Farbar) C:\Documents and Settings\Suad\Desktop\FRST.exe
2016-12-31 21:47 - 2017-01-01 02:00 - 00000000 __RHD C:\Documents and Settings\Suad\Recent
2016-12-31 19:54 - 2016-12-31 19:54 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Deepwater Horizon (2016)
2016-12-31 19:38 - 2016-12-31 20:16 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Ofelas Aka Pathfinder (1987)
2016-12-31 09:47 - 2016-12-31 09:47 - 00000385 _____ C:\Documents and Settings\Suad\Desktop\log.txt
2016-12-30 19:41 - 2016-12-30 20:41 - 00000434 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
2016-12-30 19:41 - 2016-12-30 19:41 - 00000000 __SHD C:\Documents and Settings\LocalService\Cookies
2016-12-30 15:02 - 2016-12-30 17:36 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Keeping Up With The Joneses (2016)
2016-12-30 10:02 - 2016-12-30 10:02 - 00000000 __SHD C:\RECYCLER
2016-12-30 09:48 - 2017-01-01 09:47 - 00000000 ____D C:\WINDOWS\temp
2016-12-30 09:48 - 2016-12-30 09:48 - 00017446 _____ C:\ComboFix.txt
2016-12-30 09:48 - 2016-12-30 09:48 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2016-12-30 09:48 - 2016-12-30 09:48 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2016-12-30 09:23 - 2016-12-30 09:48 - 00000000 ____D C:\Qoobox
2016-12-30 09:23 - 2011-06-26 07:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2016-12-30 09:23 - 2010-11-07 18:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2016-12-30 09:23 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2016-12-30 09:23 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2016-12-30 09:23 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2016-12-30 09:23 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2016-12-30 09:23 - 2000-08-31 01:00 - 00098816 _____ C:\WINDOWS\sed.exe
2016-12-30 09:23 - 2000-08-31 01:00 - 00080412 _____ C:\WINDOWS\grep.exe
2016-12-30 09:23 - 2000-08-31 01:00 - 00068096 _____ C:\WINDOWS\zip.exe
2016-12-30 03:58 - 2016-12-30 05:25 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\The Perfect Weapon (2016)
2016-12-29 12:17 - 2016-12-31 12:43 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Collide (2016)
2016-12-29 10:30 - 2016-12-29 10:30 - 00000534 _____ C:\Documents and Settings\Suad\My Documents\untitled.rtf
2016-12-29 10:04 - 2016-12-29 10:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Estsoft
2016-12-29 08:25 - 2016-12-29 08:25 - 03977168 _____ C:\Documents and Settings\Suad\My Documents\adwcleaner_6.041.exe
2016-12-27 22:06 - 2016-12-29 09:39 - 00002992 __RSH C:\Documents and Settings\Suad\ntuser.pol
2016-12-27 20:54 - 2017-01-01 08:54 - 00000338 ____H C:\WINDOWS\Tasks\avast! BCU UpdateS-1-5-21-391094972-1096999475-3888860593-1005.job
2016-12-27 20:54 - 2016-12-30 20:39 - 00000336 ____H C:\WINDOWS\Tasks\avastBCLS-1-5-21-391094972-1096999475-3888860593-1005.job
2016-12-27 20:54 - 2016-12-27 20:54 - 00000000 ____D C:\Documents and Settings\Suad\Start Menu\Avast Browser Cleanup
2016-12-27 20:54 - 2016-12-27 20:54 - 00000000 ____D C:\Documents and Settings\Suad\Application Data\AVAST Software
2016-12-27 17:32 - 2016-12-30 20:39 - 1601359872 ___SH C:\hiberfil.sys
2016-12-27 13:46 - 2016-12-27 13:46 - 00000000 ____D C:\2-click run
2016-12-27 13:45 - 2016-12-27 13:45 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\SpyHunter
2016-12-26 23:07 - 2016-12-26 23:07 - 00023597 _____ C:\Documents and Settings\Suad\My Documents\I.Want.To.Be.A.Soldier.2010.BRRip.XviD.MP3-RARBG-[rarbg.to].torrent
2016-12-26 18:12 - 2016-12-27 17:36 - 00000000 __SHD C:\Documents and Settings\All Users\Mozilla
2016-12-25 19:20 - 2016-12-26 09:37 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\This Christmas (2007)
2016-12-25 19:18 - 2016-12-25 19:18 - 00031386 _____ C:\Documents and Settings\Suad\My Documents\This.Christmas.2007.BRRip.XviD.MP3-RARBG-[rarbg.to].torrent
2016-12-22 19:24 - 2016-12-22 19:49 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\A Kind Of Murder (2016)
2016-12-20 17:18 - 2016-12-20 19:41 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Johnson County War (2002)
2016-12-20 10:19 - 2016-12-20 10:21 - 00000000 __SHD C:\Documents and Settings\All Users\Windows XP
2016-12-20 10:05 - 2016-12-30 09:34 - 00000000 __SHD C:\Documents and Settings\All Users\iobakf
2016-12-18 08:50 - 2017-01-01 08:54 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-12-15 20:52 - 2016-12-19 23:00 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Dog Eat Dog (2016)
2016-12-14 09:02 - 2016-12-18 08:42 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-12-14 08:57 - 2016-12-14 08:57 - 00001722 _____ C:\Documents and Settings\Suad\My Documents\Panny z Wilka.rtf
2016-12-12 16:18 - 2016-12-12 18:57 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Horizons West (1952)

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-01 09:49 - 2013-09-26 19:35 - 00000000 ____D C:\Documents and Settings\Suad\Local Settings\Temp
2017-01-01 09:48 - 2015-07-29 08:06 - 00000000 ____D C:\Documents and Settings\Suad\Application Data\uTorrent
2017-01-01 09:47 - 2014-07-31 07:19 - 00000000 ____D C:\FRST
2017-01-01 09:46 - 2016-02-08 10:05 - 00000000 ____D C:\Documents and Settings\Suad\Application Data\IDM
2017-01-01 09:01 - 2016-09-22 13:50 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2017-01-01 00:01 - 2016-09-22 13:50 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-12-31 23:44 - 2015-07-28 10:03 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-12-31 23:44 - 2006-06-06 12:08 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-12-31 22:19 - 2016-11-09 22:19 - 00000398 _____ C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1478726365.job
2016-12-31 21:54 - 2013-09-26 19:35 - 00000000 __SHD C:\Documents and Settings\Suad\Local Settings\Temporary Internet Files
2016-12-31 21:47 - 2013-09-26 19:35 - 00000000 ____D C:\Documents and Settings\Suad
2016-12-31 16:11 - 2013-10-19 16:07 - 00000000 ____D C:\Documents and Settings\Suad\Application Data\Skype
2016-12-31 16:06 - 2013-09-27 03:40 - 00000420 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{8F85813E-A342-4D93-B64D-825456CA8717}.job
2016-12-31 14:43 - 2006-06-06 12:14 - 00032458 ____N C:\WINDOWS\SchedLgU.Txt
2016-12-31 10:43 - 2015-12-23 08:20 - 00000000 ____D C:\Documents and Settings\Suad\Local Settings\Application Data\TechSmith
2016-12-31 10:15 - 2006-06-06 12:56 - 00000000 ___HD C:\WINDOWS\inf
2016-12-31 08:30 - 2013-09-26 20:21 - 00000000 ____D C:\Documents and Settings\Suad\My Documents\Downloads
2016-12-30 22:19 - 2016-11-09 22:18 - 00000000 ____D C:\Program Files\Opera
2016-12-30 20:44 - 2006-06-06 13:01 - 00000000 ____D C:\WINDOWS\system32\CatRoot2
2016-12-30 20:43 - 2006-06-06 12:14 - 00001024 ____H C:\Documents and Settings\LocalService\ntuser.dat.LOG
2016-12-30 20:41 - 2006-06-06 10:55 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2016-12-30 20:40 - 2013-10-19 17:03 - 00000159 ____N C:\WINDOWS\wiadebug.log
2016-12-30 20:40 - 2013-10-19 17:03 - 00000050 ____N C:\WINDOWS\wiaservc.log
2016-12-30 20:40 - 2006-06-06 12:14 - 00001024 ____H C:\Documents and Settings\NetworkService\ntuser.dat.LOG
2016-12-30 20:39 - 2014-03-19 17:07 - 00000220 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2016-12-30 20:39 - 2014-01-05 18:33 - 00158058 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2016-12-30 20:39 - 2013-09-26 19:35 - 28049408 ____H C:\Documents and Settings\Suad\NTUSER.DAT
2016-12-30 20:39 - 2013-09-26 19:35 - 00000062 ___SH C:\Documents and Settings\Suad\Local Settings\desktop.ini
2016-12-30 20:39 - 2013-09-26 19:28 - 2145386496 ___SH C:\pagefile.sys
2016-12-30 20:39 - 2006-06-06 13:01 - 00524288 _____ C:\WINDOWS\system32\config\SysEvent.Evt
2016-12-30 20:39 - 2006-06-06 13:01 - 00524288 _____ C:\WINDOWS\system32\config\AppEvent.Evt
2016-12-30 20:39 - 2006-06-06 13:01 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY
2016-12-30 20:39 - 2006-06-06 13:01 - 00262144 _____ C:\WINDOWS\system32\config\SAM
2016-12-30 20:39 - 2006-06-06 13:01 - 00001024 ____H C:\WINDOWS\system32\config\SAM.LOG
2016-12-30 20:39 - 2006-06-06 13:00 - 29622272 _____ C:\WINDOWS\system32\config\software
2016-12-30 20:39 - 2006-06-06 13:00 - 09699328 _____ C:\WINDOWS\system32\config\system
2016-12-30 20:39 - 2006-06-06 13:00 - 00524288 _____ C:\WINDOWS\system32\config\default
2016-12-30 20:39 - 2006-06-06 12:14 - 00262144 ____H C:\Documents and Settings\NetworkService\NTUSER.DAT
2016-12-30 20:39 - 2006-06-06 12:14 - 00262144 ____H C:\Documents and Settings\LocalService\NTUSER.DAT
2016-12-30 20:39 - 2006-06-06 12:14 - 00002048 ____S C:\WINDOWS\bootstat.dat
2016-12-30 20:39 - 2006-06-06 12:14 - 00000062 ___SH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2016-12-30 20:39 - 2006-06-06 12:14 - 00000062 ___SH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2016-12-30 20:39 - 2006-06-06 12:14 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-12-30 20:38 - 2013-09-26 19:35 - 00000178 ___SH C:\Documents and Settings\Suad\ntuser.ini
2016-12-30 19:41 - 2006-06-06 12:56 - 00000000 ____D C:\WINDOWS\system32\Drivers\etc
2016-12-30 19:41 - 2006-06-06 12:14 - 00000000 __SHD C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
2016-12-30 19:41 - 2006-06-06 12:14 - 00000000 __SHD C:\Documents and Settings\LocalService
2016-12-30 18:53 - 2006-06-06 13:02 - 00603162 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-12-30 18:53 - 2006-06-06 12:56 - 00000000 ____D C:\WINDOWS\system32
2016-12-30 18:53 - 2006-06-06 10:55 - 00502860 _____ C:\WINDOWS\system32\perfh009.dat
2016-12-30 18:53 - 2006-06-06 10:55 - 00088384 _____ C:\WINDOWS\system32\perfc009.dat
2016-12-30 09:48 - 2006-06-06 12:56 - 00000000 ____D C:\WINDOWS\system32\drivers
2016-12-30 09:48 - 2006-06-06 12:15 - 00000000 ___HD C:\Documents and Settings\Administrator\Local Settings
2016-12-30 09:48 - 2006-06-06 12:14 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings
2016-12-30 09:46 - 2013-09-26 19:35 - 00000000 ___RD C:\Documents and Settings\Suad\Start Menu\Programs\Startup
2016-12-30 09:46 - 2006-06-06 12:08 - 00000000 ___SD C:\WINDOWS\Tasks
2016-12-30 09:38 - 2006-06-06 10:55 - 00000227 _____ C:\WINDOWS\system.ini
2016-12-30 09:37 - 2014-01-05 18:33 - 01532826 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-391094972-1096999475-3888860593-1005-0.dat
2016-12-30 09:37 - 2006-06-06 10:54 - 00000027 _____ C:\WINDOWS\system32\Drivers\etc\hosts
2016-12-30 09:35 - 2013-09-26 20:21 - 00000000 ____D C:\Documents and Settings\Suad\Application Data\DMCache
2016-12-30 09:35 - 2006-06-06 12:14 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
2016-12-30 09:34 - 2006-06-06 13:02 - 00000000 ____D C:\Program Files
2016-12-30 09:34 - 2006-06-06 13:01 - 00000000 __RHD C:\Documents and Settings\All Users\Application Data
2016-12-30 09:34 - 2006-06-06 13:01 - 00000000 ____D C:\Documents and Settings\All Users
2016-12-30 09:33 - 2013-09-27 06:05 - 00000000 ____D C:\Documents and Settings\Suad\Local Settings\Application Data\Temp
2016-12-30 09:32 - 2006-06-06 13:02 - 00000000 ____D C:\Program Files\Common Files
2016-12-30 09:32 - 2006-06-06 12:56 - 00000000 ____D C:\WINDOWS\AppPatch
2016-12-30 09:26 - 2013-09-26 19:35 - 00000000 ___HD C:\Documents and Settings\Suad\Application Data
2016-12-30 09:24 - 2015-03-25 02:06 - 00001024 ____H C:\Documents and Settings\Default User\ntuser.dat.LOG
2016-12-30 09:23 - 2015-03-25 02:01 - 00000000 ____D C:\WINDOWS\erdnt
2016-12-29 13:15 - 2015-12-17 11:53 - 00000712 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2016-12-29 10:30 - 2013-09-26 19:35 - 00000000 ___RD C:\Documents and Settings\Suad\My Documents
2016-12-29 09:32 - 2006-06-06 12:56 - 00000000 ____D C:\WINDOWS\Media
2016-12-29 08:39 - 2014-04-08 17:33 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-12-29 08:30 - 2016-02-22 23:33 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
2016-12-29 08:30 - 2015-08-24 18:40 - 00000000 ____D C:\AdwCleaner
2016-12-29 08:30 - 2006-06-06 13:01 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs
2016-12-29 00:51 - 2016-09-21 09:44 - 00000000 ____D C:\Program Files\eMule
2016-12-28 22:52 - 2013-09-27 04:50 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2296011$
2016-12-28 06:53 - 2014-05-16 08:17 - 00002274 _____ C:\Documents and Settings\Suad\Desktop\Pasoši.txt
2016-12-27 20:57 - 2013-09-26 19:44 - 00000000 ___RD C:\Documents and Settings\Suad\Desktop\Web
2016-12-27 20:54 - 2013-09-26 19:35 - 00000000 ___RD C:\Documents and Settings\Suad\Start Menu
2016-12-27 20:52 - 2014-05-16 13:52 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\APLIKACIJE
2016-12-27 18:36 - 2014-11-29 13:11 - 00000000 ____D C:\Documents and Settings\Suad\Local Settings\Application Data\JDownloader 2.0
2016-12-27 18:32 - 2013-09-26 19:35 - 00000000 ___RD C:\Documents and Settings\Suad\Start Menu\Programs
2016-12-27 17:59 - 2016-02-08 14:05 - 00000000 ____D C:\Program Files\Internet Download Manager
2016-12-27 12:28 - 2014-02-19 09:50 - 00002964 _____ C:\Documents and Settings\Suad\Desktop\Nema.txt
2016-12-27 12:03 - 2015-08-12 09:21 - 00000000 ____D C:\Program Files\CCleaner
2016-12-26 15:42 - 2016-09-27 16:05 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Everything You Always Wanted To Know About Sex But Were Afraid To Ask (1972)
2016-12-26 05:10 - 2014-11-11 09:49 - 00000514 _____ C:\Documents and Settings\Suad\Desktop\Google Tips.txt
2016-12-24 09:22 - 2016-09-03 15:29 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Janet King
2016-12-21 13:16 - 2015-07-15 17:55 - 00802904 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-12-21 13:16 - 2015-07-15 17:55 - 00144472 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-12-21 13:16 - 2013-09-26 19:35 - 00000000 ____D C:\Documents and Settings\Suad\Local Settings\Application Data\Adobe
2016-12-20 10:04 - 2016-09-20 20:31 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Lucifer S02
2016-12-18 08:42 - 2015-12-17 11:53 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-12-17 00:01 - 2006-06-06 13:02 - 00000000 __SHD C:\WINDOWS\Installer
2016-12-16 12:20 - 2013-12-12 14:29 - 00000000 ____D C:\Documents and Settings\Suad\Application Data\vlc
2016-12-14 12:57 - 2006-06-06 13:01 - 00000000 ____D C:\Documents and Settings\All Users\Desktop
2016-12-14 08:34 - 2013-09-26 19:35 - 00000000 ___RD C:\Documents and Settings\Suad\My Documents\My Pictures
2016-12-08 15:00 - 2014-03-19 17:07 - 00000214 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2016-12-08 10:36 - 2016-11-11 10:36 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\Doctor Strange (2016)
2016-12-06 10:42 - 2016-01-19 18:45 - 00000000 ____D C:\Documents and Settings\Suad\Desktop\VIDEOSOFT
2016-12-05 14:39 - 2013-10-19 16:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2016-12-05 14:38 - 2013-10-19 16:07 - 00000000 ___RD C:\Program Files\Skype
2016-12-05 14:35 - 2013-09-26 21:11 - 00000942 _____ C:\Documents and Settings\Suad\Start Menu\Programs\MediaInfo.lnk

==================== Files in the root of some directories =======

2013-12-29 00:49 - 2014-10-22 00:33 - 0001137 _____ () C:\Documents and Settings\Suad\Application Data\DVDSubEdit.ini
2015-04-14 17:28 - 2015-04-14 17:28 - 0004387 _____ () C:\Documents and Settings\Suad\Application Data\dVTHBUqjXXWxbbyQjxZQsrCuM
2016-02-16 17:44 - 2013-01-08 03:19 - 18158238 _____ () C:\Documents and Settings\Suad\Local Settings\Application Data\OcrMap.bin

Some files in TEMP:
====================
C:\Documents and Settings\Suad\Local Settings\Temp\avgnt.exe
C:\Documents and Settings\Suad\Local Settings\Temp\NEventMessages.dll
C:\Documents and Settings\Suad\Local Settings\Temp\NOSEventMessages.dll


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================
Attached Files
File Type: zip Addition.zip (7.8 KB, 30 views)
Suadnovic is offline  
Old 01-02-2017, 11:28 AM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Suadnovic.
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST.exe

    NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    GroupPolicy: Restriction ? <======= ATTENTION
    GroupPolicy\User: Restriction - Chrome <======= ATTENTION
    CHR HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-391094972-1096999475-3888860593-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://yourtv.link
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
    SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
    FF ProfilePath: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\41A66E7E5EE1 [not found]
    c:\documents and settings\All Users\iobakf
    Folder: C:\Documents and Settings\All Users\Windows XP
    EmptyTemp:
    end
  • Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-02-2017, 04:54 PM   #14
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



Fix result of Farbar Recovery Scan Tool (x86) Version: 01-01-2017
Ran by Suad (03-01-2017 02:04:03) Run:2
Running from C:\Documents and Settings\Suad\Desktop\Farbar Recovery Scan Tool
Loaded Profiles: Suad (Available Profiles: Suad & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
createrestorepoint:
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy\User: Restriction - Chrome <======= ATTENTION
CHR HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://yourtv.link
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
FF ProfilePath: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\41A66E7E5EE1 [not found]
c:\documents and settings\All Users\iobakf
Folder: C:\Documents and Settings\All Users\Windows XP
EmptyTemp:
end
*****************

Restore point was successfully created.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\system32\GroupPolicy\User => moved successfully
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Google => key removed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F} => key removed successfully.
HKCR\CLSID\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F} => key not found.
C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\41A66E7E5EE1 => path removed successfully.
c:\documents and settings\All Users\iobakf => moved successfully

========================= Folder: C:\Documents and Settings\All Users\Windows XP ========================


====== End of Folder: ======


=========== EmptyTemp: ==========

BITS transfer queue => 9769 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 89512 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/dllcache/drivers => 1331419 B
Edge => 0 B
Chrome => 16193413 B
Firefox => 55687363 B
Opera => 53165792 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 0 B
All Users => 0 B
systemprofile => 0 B
==========
And I haved memory dumping messege duiring run.
Suadnovic is offline  
Old 01-02-2017, 05:12 PM   #15
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



So, I run again, this time was request for restart, and here is file after finishing
============
Fix result of Farbar Recovery Scan Tool (x86) Version: 01-01-2017
Ran by Suad (03-01-2017 02:10:50) Run:3
Running from C:\Documents and Settings\Suad\Desktop\Farbar Recovery Scan Tool
Loaded Profiles: Suad (Available Profiles: Suad & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
createrestorepoint:
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy\User: Restriction - Chrome <======= ATTENTION
CHR HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://yourtv.link
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
SearchScopes: HKU\S-1-5-21-391094972-1096999475-3888860593-1005 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxp://www.google.com/cse?cx=partner-pub-8036109189802438%3A7790813904&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=yourtv.link%2F
FF ProfilePath: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\41A66E7E5EE1 [not found]
c:\documents and settings\All Users\iobakf
Folder: C:\Documents and Settings\All Users\Windows XP
EmptyTemp:
end
*****************

Restore point was successfully created.
"C:\WINDOWS\system32\GroupPolicy\Machine" => not found.
"C:\WINDOWS\system32\GroupPolicy\User" => not found.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Google => key not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-21-391094972-1096999475-3888860593-1005\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F} => key not found.
HKCR\CLSID\{E9410C70-B6AE-41FF-AB71-32F4B279EA5F} => key not found.
"c:\documents and settings\All Users\iobakf" => not found.

========================= Folder: C:\Documents and Settings\All Users\Windows XP ========================


====== End of Folder: ======


=========== EmptyTemp: ==========

BITS transfer queue => 9769 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 0 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/dllcache/drivers => 0 B
Edge => 0 B
Chrome => 248832 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 0 B
All Users => 0 B
systemprofile => 0 B
LocalService => 66440 B
NetworkService => 16741 B
Suad => 1803457 B
Administrator => 0 B

RecycleBin => 4903 B
EmptyTemp: => 2.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 02:11:06 ====

===========
Google custom search disapear!
Suadnovic is offline  
Old 01-02-2017, 05:39 PM   #16
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



But in Opera I have this unwanted search result

Suadnovic is offline  
Old 01-02-2017, 06:58 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Suadnovic. You'll have to go into Opera and manually delete any unwanted search engine, etc.

Let me know.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.
  • You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
  • Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
  • Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
  • At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
  • When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
  • Tick the option Enable detection of potentially unwanted applications
  • Click on Advanced settings
  • Make sure that the option Clean threats automatically is unticked.
  • Ensure these options are ticked:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth technology
  • Click Scan
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Please copy/paste the contents of the log in your next reply.
  • To close ESET Online Scanner, select Do not clean then Finish
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-03-2017, 12:38 AM   #18
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



I removed extensions Single-click Cleaner and Fast-search from Opera, and seems to be all is Ok now.

Suadnovic is offline  
Old 01-03-2017, 03:56 AM   #19
Registered Member
 
Join Date: Dec 2007
Posts: 153
OS: XP Pro



C:\AdwCleaner\FileQuarantine\C\Program Files\SearchesToYesbnd\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi.vir JS/Mindspark.D potentially unwanted application
C:\AdwCleaner\FileQuarantine\C\Program Files\SearchesToYesbnd\ccuter.exe.vir a variant of Win32/ELEX.HI potentially unwanted application
C:\AdwCleaner\FileQuarantine\C\Program Files\SearchesToYesbnd\ffuter.exe.vir a variant of Win32/ELEX.HI potentially unwanted application
C:\AdwCleaner\FileQuarantine\C\Program Files\SearchesToYesbnd\shortboost.exe.vir a variant of Win32/ELEX.HI potentially unwanted application
C:\AdwCleaner\FileQuarantine\C\Program Files\SearchesToYesbnd\unIns.exe.vir a variant of Win32/ELEX.HI potentially unwanted application
C:\AdwCleaner\FileQuarantine\C\Program Files\SearchesToYesbnd\Winsere.exe.vir a variant of Win32/ELEX.HH potentially unwanted application
C:\Documents and Settings\Suad\Application Data\dVTHBUqjXXWxbbyQjxZQsrCuM JS/Toolbar.Crossrider.C potentially unwanted application
C:\Documents and Settings\Suad\Application Data\uTorrent\updates\3.3.1_30017.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Documents and Settings\Suad\My Documents\Downloads\Compressed\WiFi Hacker 2015.rar Win32/Fynloski.AA trojan
C:\Documents and Settings\Suad\My Documents\Downloads\Programs\utorrent.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Documents and Settings\Suad\My Documents\Downloads\Programs\vpsamz-HotspotShieldVPN 5.20.5\vpsamz-HotspotShieldVPN 5.20.5.rar MSIL/Riskware.HackTool.Crack.B application
C:\Documents and Settings\Suad\My Documents\Downloads\Programs\vpsamz-HotspotShieldVPN 5.20.5\vpsamz-HotspotShieldVPN 5.20.5\Hss_Elite.exe MSIL/Riskware.HackTool.Crack.B application
C:\Documents and Settings\Suad\My Documents\Downloads\Programs\vpsamz-HotspotShieldVPN 5.20.5\vpsamz-HotspotShieldVPN 5.20.5\Hss_Elite.rar MSIL/Riskware.HackTool.Crack.B application
C:\Documents and Settings\Suad\My Documents\Downloads\µTorrent\Završeni transferi\Revo Uninstaller Pro 3.1.6 Final\Revo Uninstaller Pro 3.1.6 RePack (& Portable) by D!akov\RevoUninstallerPro-3.1.6.exe Win32/Adware.HiRu.F application
C:\Documents and Settings\Suad\My Documents\Downloads\µTorrent\Završeni transferi\Revo Uninstaller Pro 3.1.6 Final\Revo Uninstaller Pro 3.1.6 RePack (& portable) by KpoJIuK\Revo.Uninstaller.Pro.v3.1.6.exe Win32/Adware.HiRu.F application
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\iobakf\iobakf.exe.vir Win32/CoinMiner.AAG trojan
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP448\A0132371.exe a variant of Win32/Kryptik.FMGC trojan
C:\System Volume Information\_restore{9E67248A-F152-4710-A4B8-745CD4FFE586}\RP451\A0133428.exe Win32/CoinMiner.AAG trojan
===========
In previous step, I lose all my Firefox bookmarks, and all addons are deinstaled.
Suadnovic is offline  
Old 01-03-2017, 01:24 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Suadnovic. These 2 FF profiles were listed in your log:

Quote:
FF ProfilePath: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\41A66E7E5EE1 [not found]
FF ProfilePath: C:\Documents and Settings\Suad\Application Data\Mozilla\Firefox\Profiles\aex6lj8q.default-1473001184500 [2017-01-01]
Are you sure you are looking under the aex6lj8q.default-1473001184500 profile? All your FF extensions are in the aex6lj8q.default-1473001184500 profile.

------------------------------------------------------

As far as the ESET finds, Qoobox is ComboFix's quarantine folder.

System Volume Information is where Windows keeps old system restore points. Both will get deleted when we uninstall ComboFix.

Some of the ESET finds have already been quarantined by AdwCleaner. Those will get deleted when we uninstall AdwCleaner.

------------------------------------------------------

I see you are still downloading cracks via torrents.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Suad\Application Data\dVTHBUqjXXWxbbyQjxZQsrCuM"
"C:\Documents and Settings\Suad\My Documents\Downloads\Compressed\WiFi Hacker 2015.rar"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (

"C:\Documents and Settings\Suad\My Documents\Downloads\Programs\vpsamz-HotspotShieldVPN 5.20.5"
"C:\Documents and Settings\Suad\My Documents\Downloads\µTorrent\Završeni transferi\Revo Uninstaller Pro 3.1.6 Final"

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Computer Issues Driving Me Up a Wall
Ello all, I'm having a bit of an issue with my computer. Anyway, I'm having an issue with my computer, and I can't seem to figure out what's wrong with it. What will happen is that I'll watch a video (either on Twitch.tv, YouTube, or even Amazon.com) on Google Chrome and everything will be...
DustinVlad Windows 7 , Windows Vista Support 4 07-21-2015 03:05 PM
Trouble connecting wireless router to Motorola Cable modem
Hey guys, Im hoping someone can help me with this weird problem i'm having trying to connnect an ASUS RT-AC52U to a Motorola SB5102 Cable modem. At first it tried the usual just plugging everything in and do the quick wizzard setup, that didn't work at all so when i looked around it seemed...
takitoes Modems/Cable/DSL/Satellite 7 12-15-2014 11:35 AM
Link Aggregation in Mountian Lion 10.8.5
Hi I hope someone has had this issue before and has a solution I'm running a Mac Pro 12core on Mountain Lion 10.8.5, not server because of specific software that will not run on server software, and am trying to get the link aggregation to work using 10Ge fibre. I have 2 x 4 Port ATTO NS14...
Paulrm12 Mac Support 0 08-14-2014 05:21 AM
media link in address bar streams and does not download
This has been rattling my brain for the past week. I downloaded IE9 because IE8 has been draining memory when I have numerous windows open... seriously some pagers will be at 600,999k with no end in sight of chewing up memory... Anyway... the real issue. IE9 broke the way I download...
MoonScar119 Internet Explorer & Edge Forum 1 04-11-2011 06:14 AM
RAM memory in BIOS
Hello When im trying to clock my RAM memory in BIOS its all gray. Any suggestions? "BIOS-Version and -date. American Megatrends Inc. 3.24, 2005-08-11" And installed RAM is only 512
Abfe Overclocking 6 01-27-2011 12:33 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:36 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts