Tech Support Forum banner
Cancel

FVP Hijacking

Jump to Latest Follow
Status
Not open for further replies.
1 - 20 of 27 Posts
E

· Registered
Joined
·
56 Posts
Discussion Starter · #1 · (Edited by Moderator)
Hi,

My daughter`s computer is incredibly slow and the browsers were hijacked by something which call itself as ~FVP~.

I attached DDS logs.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18205
Run by LG at 16:28:18 on 2016-03-13
Microsoft Windows 7 Home Basic 6.1.7601.1.1252.55.1046.18.1990.114 [GMT -3:00]
.
AV: Antivírus e antispyware da McAfee *Enabled/Updated* {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Antivírus e antispyware da McAfee *Enabled/Updated* {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall *Enabled* {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\PROGRA~2\GbPlugin\GbpSv.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
C:\Program Files\Motorola\Bluetooth\audiosrv.exe
C:\Program Files\Motorola\Bluetooth\obexsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Users\LG\AppData\Roaming\TSv\TSvr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\SFK\SSFK.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\McAfee\MSC\McAPExe.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~2\GbPlugin\GbpSv.exe
C:\Windows\system32\GWX\GWX.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\LG Software\LG Power Manager Suite\PowerManager.exe
C:\Program Files\LG Software\LG OSD\HotkeyManager.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\lg_swupdate\GiljabiStart.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\ProgramData\Google\update\GoogleUpdate.exe
C:\ProgramData\Google\update\GoogleUpdate.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreamsDownloader.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Windows\system32\CompatTelRunner.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\TEMP\4448918C-4469-481E-81B1-3B38CDFC5000\dismhost.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ghokswa Browser\ghokswa\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\54.0\mcdatrep.exe
C:\Program Files\Common Files\McAfee\CSP\1.8.267.0\McCSPServiceHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\LG\Desktop\Segurança\dds.com
c:\PROGRA~1\COMMON~1\mcafee\mhn\ALERTH~1.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://search.delta-homes.com/web/?type=ds&ts=1435120220&z=8770c4a9f7b6fbf2b02ef6dgczac2w5gdofe2o0gbc&from=ient06241&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
uDefault_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1452679535&z=fa819f3249e7c2e053af1eagcz4wao8q8m9t5wac1w&from=ient07021&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT
uDefault_Search_URL = hxxp://search.delta-homes.com/web/?type=ds&ts=1435120220&z=8770c4a9f7b6fbf2b02ef6dgczac2w5gdofe2o0gbc&from=ient06241&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
mStart Page = about:blank
mSearch Page = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
mDefault_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1452679535&z=fa819f3249e7c2e053af1eagcz4wao8q8m9t5wac1w&from=ient07021&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT
mDefault_Search_URL = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: LuckyTab Class: {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -
BHO: Auxiliar de Conexão do Windows Live ID: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SafeKey Vault: {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: GbIehObj Class: {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Program Files (x86)\GbPlugin\gbiehuni.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: McAfee SafeKey: {61D700C1-7D8D-43c5-9C13-4FF85157CFE6} - C:\Program Files (x86)\SafeKey\LPToolbar.dll
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [TornTv Downloader] C:\Users\LG\AppData\Roaming\TornTV.com\Torntv Downloader.exe /c=startup
uRun: [DelayShred] "c:\PROGRA~1\mcafee\mqs\ShrCL.EXE" /P1 /q "C:\Users\LG\AppData\Everything" "C:\Users\LG\NTUSER.DAT" "C:\Users\LG\ntuser.dat.LOG1" "C:\Users\LG\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" "C:\Users\LG\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" "C:\Users\LG\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" "C:\Users\LG\ntuser.dat.LOG2"
mRun: [LG Intelligent Update] "C:\Program Files (x86)\lg_swupdate\giljabistart.exe" Gilautouc
mRun: [LG Media FUNtasia] "C:\Program Files (x86)\LG Software\LG Media FUNtasia\MediaFuntasiaStart.exe" tray
mRun: [LG Smart Page] "C:\Program Files (x86)\LG Software\LG Smart Page\TOStart.exe" tray
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRunOnce: [{90140000-003D-0000-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-0018-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-006E-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-001A-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
dRunOnce: [{90140000-00A1-0416-0000-0000000FF1CE}] C:\Windows\System32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
StartupFolder: C:\Users\LG\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TORNTV~1.LNK - C:\Users\LG\AppData\Roaming\TornTV.com\TornTV Downloader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Enviar para o OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: E&xportar para o Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: SafeKey - C:\Users\LG\AppData\LocalLow\SafeKey\context.html?cmd=lastpass
IE: SafeKey Fill Forms - C:\Users\LG\AppData\LocalLow\SafeKey\context.html?cmd=fillforms
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {bd707fe6-39f6-4bda-9265-86a76719bdc5} - C:\Program Files\Motorola\Bluetooth\btmiesend.htm
Trusted Zone: itau.com.br
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{305460FA-0359-48B1-AD6D-3BA43A3E9623} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{3BE3484F-5F3A-473A-A004-77D5F38DD402} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{555205B8-DCC6-42C5-8D10-B4B1A76424BC} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{555205B8-DCC6-42C5-8D10-B4B1A76424BC}\9437162656C616024416E6471637 : DHCPNameServer = 200.222.0.34 200.202.193.75
TCP: Interfaces\{F1F1E1DB-E21F-4D3B-9602-84094A923778} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: GbPluginUni - C:\Program Files (x86)\GbPlugin\gbiehUni.dll
AppInit_DLLs= C:\PROGRA~2\SupTab\SEARCH~1.DLL
SSODL: WebCheck - <orphaned>
SEH: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399008} - C:\Program Files (x86)\GbPlugin\gbiehuni.dll
x64-mStart Page = about:blank
x64-mSearch Page = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
x64-mDefault_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1452679535&z=fa819f3249e7c2e053af1eagcz4wao8q8m9t5wac1w&from=ient07021&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT
x64-mDefault_Search_URL = hxxp://www.qone8.com/web/?type=ds&ts=1401377870&from=smt&uid=TOSHIBAXMK3259GSXP_23AZC4RATXX23AZC4RAT&q={searchTerms}
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: McAfee SafeKey Vault: {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar_x64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: McAfee SafeKey: {61D700C1-7D8D-43c5-9C13-4FF85157CFE6} - C:\Program Files (x86)\SafeKey\LPToolbar_x64.dll
x64-Run: [PowerManager] C:\Program Files\LG Software\LG Power Manager Suite\PowerManager.exe
x64-Run: [HotkeyManager] C:\Program Files\LG Software\LG OSD\HotkeyManager.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {9DB059B3-DD36-4a55-846C-59BE42A1202A} - C:\Program Files (x86)\SafeKey\LPToolbar_x64.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {bd707fe6-39f6-4bda-9265-86a76719bdc5} - C:\Program Files\Motorola\Bluetooth\btmiesend.htm
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2014-10-1 846080]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2014-10-1 245096]
R3 BTMUSB;Motorola Bluetooth Radio Service;C:\Windows\System32\drivers\btmusb.sys [2010-1-2 663936]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2014-10-1 79248]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2011-1-28 31088]
R3 IntcDAud;Áudio do vídeo Intel(R);C:\Windows\System32\drivers\IntcDAud.sys [2011-8-23 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-9-19 108656]
R3 mfeaack;McAfee Inc. mfeaack;C:\Windows\System32\drivers\mfeaack.sys [2015-2-17 419624]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2014-10-1 351144]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2014-10-1 496368]
R3 mfencbdc;McAfee Inc. mfencbdc;C:\Windows\System32\drivers\mfencbdc.sys [2015-11-20 539496]
R3 mfesapsn;McAfee Process Start Notification Service;C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [2016-2-18 36968]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2010-1-2 1360960]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-11-22 339560]
S3 BTMCOM;Bluetooth Serial Port;C:\Windows\System32\drivers\btmcom.sys [2010-1-2 52736]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-11-22 48488]
S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2015-7-2 207208]
S3 mfencrk;McAfee Inc. mfencrk;C:\Windows\System32\drivers\mfencrk.sys [2015-11-20 109480]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2013-8-6 23040]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192ce.sys [2012-10-9 1165928]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2015-6-17 54784]
S3 wsvd;wsvd;C:\Windows\System32\drivers\wsvd.sys [2010-8-9 125936]
.
=============== Created Last 30 ================
.
2016-02-16 07:24:56 -------- d-----w- C:\Windows\rescache
2016-02-16 06:16:59 1018368 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2016-02-16 06:16:58 10949120 ----a-w- C:\Program Files\Internet Explorer\F12Resources.dll
2016-02-16 06:16:30 141312 ----a-w- C:\Windows\System32\drivers\mrxdav.sys
2016-02-16 06:16:26 3211776 ----a-w- C:\Windows\System32\win32k.sys
2016-02-16 06:16:14 2085888 ----a-w- C:\Windows\System32\ole32.dll
2016-02-16 06:16:13 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll
2016-02-16 06:14:32 3231232 ----a-w- C:\Windows\explorer.exe
2016-02-16 06:14:30 2973184 ----a-w- C:\Windows\SysWow64\explorer.exe
2016-02-16 06:14:30 1940992 ----a-w- C:\Windows\System32\authui.dll
2016-02-16 06:14:30 1866752 ----a-w- C:\Windows\System32\ExplorerFrame.dll
2016-02-16 06:14:30 1805824 ----a-w- C:\Windows\SysWow64\authui.dll
2016-02-16 06:14:30 1498624 ----a-w- C:\Windows\SysWow64\ExplorerFrame.dll
2016-02-16 03:09:10 -------- d-----w- C:\Program Files (x86)\iTunes
2016-02-16 03:09:09 -------- d-----w- C:\Program Files\iPod
2016-02-16 03:08:32 -------- d-----w- C:\Program Files\iTunes
2016-02-16 03:03:33 -------- d-----w- C:\Program Files\Bonjour
2016-02-16 03:03:33 -------- d-----w- C:\Program Files (x86)\Bonjour
2016-02-16 02:57:23 -------- d-----w- C:\Users\LG\AppData\Local\Apple Inc
2016-02-16 02:10:59 -------- d-----w- C:\ProgramData\Intel Security
2016-02-16 01:56:27 -------- d-----w- C:\Program Files\Common Files\Intel Security
.
==================== Find3M ====================
.
2016-02-06 10:32:57 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2016-02-06 10:10:21 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2016-02-06 09:54:50 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2016-02-06 09:37:23 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2016-01-22 06:56:05 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2016-01-22 06:41:35 66560 ----a-w- C:\Windows\System32\iesetup.dll
2016-01-22 06:40:50 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2016-01-22 06:40:43 417792 ----a-w- C:\Windows\System32\html.iec
2016-01-22 06:40:13 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2016-01-22 06:40:12 571904 ----a-w- C:\Windows\System32\vbscript.dll
2016-01-22 06:29:43 6052352 ----a-w- C:\Windows\System32\jscript9.dll
2016-01-22 06:27:40 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2016-01-22 06:27:24 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2016-01-22 06:27:10 5573056 ----a-w- C:\Windows\System32\ntoskrnl.exe
2016-01-22 06:27:08 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2016-01-22 06:27:08 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2016-01-22 06:24:12 1733592 ----a-w- C:\Windows\System32\ntdll.dll
2016-01-22 06:20:53 362496 ----a-w- C:\Windows\System32\wow64win.dll
2016-01-22 06:20:53 243712 ----a-w- C:\Windows\System32\wow64.dll
2016-01-22 06:20:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2016-01-22 06:20:36 215040 ----a-w- C:\Windows\System32\winsrv.dll
2016-01-22 06:20:33 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2016-01-22 06:20:31 210432 ----a-w- C:\Windows\System32\wdigest.dll
2016-01-22 06:20:20 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2016-01-22 06:20:10 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2016-01-22 06:20:10 135680 ----a-w- C:\Windows\System32\sspicli.dll
2016-01-22 06:20:08 503808 ----a-w- C:\Windows\System32\srcore.dll
2016-01-22 06:20:08 50176 ----a-w- C:\Windows\System32\srclient.dll
2016-01-22 06:19:06 28160 ----a-w- C:\Windows\System32\secur32.dll
2016-01-22 06:19:04 344064 ----a-w- C:\Windows\System32\schannel.dll
2016-01-22 06:19:02 1214464 ----a-w- C:\Windows\System32\rpcrt4.dll
2016-01-22 06:18:49 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2016-01-22 06:18:49 723968 ----a-w- C:\Windows\System32\EncDec.dll
2016-01-22 06:18:32 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2016-01-22 06:17:03 312320 ----a-w- C:\Windows\System32\ncrypt.dll
2016-01-22 06:17:01 159744 ----a-w- C:\Windows\System32\mtxoci.dll
2016-01-22 06:17:00 315392 ----a-w- C:\Windows\System32\msv1_0.dll
2016-01-22 06:16:55 60416 ----a-w- C:\Windows\System32\msobjs.dll
2016-01-22 06:16:39 146432 ----a-w- C:\Windows\System32\msaudite.dll
2016-01-22 06:16:00 1461248 ----a-w- C:\Windows\System32\lsasrv.dll
2016-01-22 06:15:31 730112 ----a-w- C:\Windows\System32\kerberos.dll
2016-01-22 06:15:31 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2016-01-22 06:13:15 3993536 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2016-01-22 06:13:15 3938752 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2016-01-22 06:13:06 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2016-01-22 06:13:04 43520 ----a-w- C:\Windows\System32\cryptbase.dll
2016-01-22 06:13:03 22016 ----a-w- C:\Windows\System32\credssp.dll
2016-01-22 06:09:40 1314328 ----a-w- C:\Windows\SysWow64\ntdll.dll
2016-01-22 06:09:06 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2016-01-22 06:06:50 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2016-01-22 06:06:50 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2016-01-22 06:06:50 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2016-01-22 06:06:50 275456 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2016-01-22 06:06:30 171520 ----a-w- C:\Windows\SysWow64\wdigest.dll
2016-01-22 06:06:19 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2016-01-22 06:06:11 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2016-01-22 06:05:27 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2016-01-22 06:05:20 251392 ----a-w- C:\Windows\SysWow64\schannel.dll
2016-01-22 06:04:36 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2016-01-22 06:04:36 535040 ----a-w- C:\Windows\SysWow64\EncDec.dll
2016-01-22 06:02:58 223232 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2016-01-22 06:02:56 114176 ----a-w- C:\Windows\SysWow64\mtxoci.dll
2016-01-22 06:02:55 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2016-01-22 06:02:52 176128 ----a-w- C:\Windows\SysWow64\msorcl32.dll
2016-01-22 06:02:49 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2016-01-22 06:02:26 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2016-01-22 06:02:01 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2016-01-22 06:02:01 496640 ----a-w- C:\Windows\SysWow64\vbscript.dll
2016-01-22 06:02:00 553472 ----a-w- C:\Windows\SysWow64\kerberos.dll
2016-01-22 06:01:26 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2016-01-22 06:01:17 341504 ----a-w- C:\Windows\SysWow64\html.iec
2016-01-22 06:00:26 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2016-01-22 05:51:37 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2016-01-22 05:46:10 2123264 ----a-w- C:\Windows\System32\inetcpl.cpl
2016-01-22 05:46:00 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2016-01-22 05:39:38 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2016-01-22 05:35:15 4611072 ----a-w- C:\Windows\SysWow64\jscript9.dll
2016-01-22 05:31:43 2597376 ----a-w- C:\Windows\System32\wininet.dll
2016-01-22 05:24:59 2050560 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2016-01-22 05:24:40 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2016-01-22 05:13:56 64000 ----a-w- C:\Windows\System32\auditpol.exe
2016-01-22 05:07:28 2120704 ----a-w- C:\Windows\SysWow64\wininet.dll
2016-01-22 05:07:16 338432 ----a-w- C:\Windows\System32\conhost.exe
2016-01-22 05:07:09 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2016-01-22 05:05:44 296960 ----a-w- C:\Windows\System32\rstrui.exe
2016-01-22 04:59:53 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2016-01-22 04:58:52 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2016-01-22 04:58:46 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2016-01-22 04:57:17 30720 ----a-w- C:\Windows\System32\lsass.exe
2016-01-22 04:57:09 112640 ----a-w- C:\Windows\System32\smss.exe
2016-01-22 04:53:59 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2016-01-22 04:53:56 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2016-01-22 04:53:56 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2016-01-22 04:53:55 2048 ----a-w- C:\Windows\SysWow64\user.exe
2016-01-22 04:51:55 36352 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2016-01-22 04:51:40 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2016-01-22 04:51:40 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2016-01-22 04:51:40 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2016-01-22 04:51:40 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2016-01-16 19:06:53 25024 ----a-w- C:\Windows\System32\CompatTelRunner.exe
.
============= FINISH: 16:32:41,24 ===============
 

Attachments

chemist

· Premium Member
Joined
·
29,813 Posts
#2 ·
Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

**Note - Please do NOT upgrade your OS to Windows 10 until your machine is clean, and we have uninstalled all our removal tools. Thanks.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
 
Save Share
chemist

· Premium Member
Joined
·
29,813 Posts
#4 ·
Hello ehgpdantas.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Back up your files - Windows Help

Also, if you haven't done so already, create a system repair disc. It's really easy and quick.

How To Create a Windows 7 System Repair Disc [Easy]

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code: 
    start
createrestorepoint:
Task: {B3DB1D43-0368-48DF-A7F7-C2EA5E2E2FD2} - System32\Tasks\globalUpdateUpdateTaskMachineUA1d014e8ac204e43 => C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe <==== ATENÇÃO
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA1d014e8ac204e43.job => C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe <==== ATENÇÃO
AlternateDataStreams: C:\Windows\System32:323A41CD_Uni.gbp [2]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
AlternateDataStreams: C:\Users\Todos os Usuários\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
HKU\S-1-5-21-4281146232-1754030423-2531835936-1002\...\MountPoints2: {a895cf3f-e053-11e3-9918-00e0914c7256} - E:\Autorun.exe
HKU\S-1-5-18\...\RunOnce: [{90140000-003D-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
HKU\S-1-5-18\...\RunOnce: [{90140000-0018-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
HKU\S-1-5-18\...\RunOnce: [{90140000-006E-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
HKU\S-1-5-18\...\RunOnce: [{90140000-001A-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
HKU\S-1-5-18\...\RunOnce: [{90140000-00A1-0416-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
C:\ProgramData\Microsoft Help\Rgstrtn.lck
ShellIconOverlayIdentifiers: [BaiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} =>  Nenhum Arquivo
CHR HKLM\SOFTWARE\Policies\Google: Restrição <======= ATENÇÃO
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4281146232-1754030423-2531835936-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Folder: "%allusersprofile%\Application Data\Microsoft Help"
EmptyTemp:
end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
 
Save Share
chemist

· Premium Member
Joined
·
29,813 Posts
#6 ·
Hello again, Eduardo. How is the machine behaving?

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here and here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

------------------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish
  • At the end of the installation, a database update will be performed.
  • Click on Scan Now
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double-click on the Scan Log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Post that saved log in your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
 
Save Share
chemist

· Premium Member
Joined
·
29,813 Posts
#8 ·
Hello again, ehgpdantas. ESET often lists threats that have already been quarantined, so don't get overly worried. Let me know when ESET finishes.
 
Save Share
E

· Registered
Joined
·
56 Posts
Discussion Starter · #9 ·
Hi,

ESET finally completed. Follows the log. Seems most of what it found was already handled by AdwCleaner. However, there was a strange Google Update.exe...

System does not have the FVP hijack any more and seems to be clean, although slow...

Eduardo
 

Attachments

chemist

· Premium Member
Joined
·
29,813 Posts
#10 ·
Hello again, Eduardo. Some users complain of slowness after a cleaning. Use the machine a day or so and see if it improves.

------------------------------------------------------

Most of the ESET finds have already been quarantined by AdwCleaner. Those will get deleted when we uninstall AdwCleaner.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code: 
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\everything.dll"
"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\Patch.dll"
"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\ServiceEverything.exe"
"C:\$RECYCLE.BIN\S-1-5-21-4281146232-1754030423-2531835936-1002\$RFWC7M6\SFKEX.exe"
"C:\ProgramData\Google\update\GoogleUpdate.exe"
"C:\Users\All Users\Google\update\GoogleUpdate.exe"
"C:\Users\Todos os Usuários\Google\update\GoogleUpdate.exe"


) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:


Right-click on fix.bat and choose 'Run as administrator' to allow it to run.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
 
Save Share
E

· Registered
Joined
·
56 Posts
Discussion Starter · #11 ·
Hi,

The script ran and created a log.txt file with the following records:

C:\ProgramData\Google\update\GoogleUpdate.exe
C:\Users\All Users\Google\update\GoogleUpdate.exe

Eduardo
 
chemist

· Premium Member
Joined
·
29,813 Posts
#12 ·
Hello again, Eduardo. Any improvement in speed?

Go Start > Computer > Organize > Folder and Search Options > View, then
  • Check the Show hidden files and folders option.
  • Uncheck the Hide file extensions for known file types option.
  • Click 'Yes', then 'Apply', then 'OK'.
------------------------------------------------------

Navigate to, right-click and delete these files:

C:\ProgramData\Google\update\GoogleUpdate.exe
C:\Users\All Users\Google\update\GoogleUpdate.exe
Click to expand...
Let me know if you were successful.

------------------------------------------------------
 
Save Share
chemist

· Premium Member
Joined
·
29,813 Posts
#15 ·
Hello again, Eduardo. Not all slowness issues are due to malware. You may have to seek help in one of our other forums for help when we are done.

I'd like to collect those files for analysis, before deleting them.

Please download the Suspicious File Packer and Save it to your Desktop.

  • Unzip it to the desktop and run it.
  • Copy/paste the following list of files into the Suspicious File Packer window:

    C:\ProgramData\Google\update\GoogleUpdate.exe
    C:\Users\All Users\Google\update\GoogleUpdate.exe​
  • Allow SFP to pack the files by clicking Continue
  • This will generate a CAB archive on your desktop named requested-files[Date/Time].cab
  • Please submit it to this site ==> Submit a Malware Sample and include this link in the message->>http://www.techsupportforum.com/forums/f50/fvp-hijacking-1103362.html#post6963402
  • You can then delete the requested-files.cab file from your desktop, once you have uploaded it to the above recipient.
  • Please let me know you submitted the file.
------------------------------------------------------
 
Save Share
E

· Registered
Joined
·
56 Posts
Discussion Starter · #16 ·
I just uploaded the cab file. I noticed that the slowness issue is not really on the laptop but on Internet Explorer. Laptop is responding quite well but IE is taking several second, some times a minute or so, to respond to a click.

Eduardo
 
chemist

· Premium Member
Joined
·
29,813 Posts
#17 ·
Hello again, Eduardo. Have you tried resetting IE to default?

https://www.google.com/search?q=restore+ie+to+default&ie=utf-8&oe=utf-8

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code: 
    start
createrestorepoint:
C:\ProgramData\Google\update\GoogleUpdate.exe
C:\Users\All Users\Google\update\GoogleUpdate.exe
EmptyTemp:
end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

-------------------------------------------------------
 
Save Share
E

· Registered
Joined
·
56 Posts
Discussion Starter · #18 ·
Follows the log. It deleted one of the files but curiously did not find the one in AllUsers folder... As I tried to delete both, I am very sure the two files were there... but now, they do not show up anymore... Actually, one of them. pprobably the one in ProgramData folder, was moved and renamed as xBAD file.

I ran a search on Explorer and it found the folder below, last modified in 17/OCT/2014:
AppCrash_GoogleUpdate.exe_6466616b48e3848f8c3e56bed956fc81cee30b1_0f17e724

It also found two files (GoogleUpdateSetup.exe), last modified in 29/JUN/2013, in two different folders:
C:\Users\LG\AppData\Local\Apps\2.0\TQT80TGK.2DB\N2BJBTQ8.9MR\clic...exe_4fe91ede9f9bdca3_0001.0003_none_81523cbd64d988f5

Now the odd part of my post... I did the reset on IE and got a slight improvement. Not sure if IE is too heavy or because I am "measuring" its performance very close to the boot... so the computer is doing several things at same time... but in any case, pages take a long time to load. So I decided to install Chrome again.

I googled for it, clicked on chrome page and went to a google page thanking me for having installed it. At that time, I haven't had done any installation... I thought it was strange but continued to the browser tab and then it asked me to download chrome, having to check the box whether chrome would be the default browser. After chrome was intalled, McAffee warned me that a program was changing the way chrome would behave and asked me to prevent it (what I did, with no effect)... and here am I, my malware is back... Any time chrome opens it goes to a strange start page and uses a strange search engine... I went to chrome settings and there was also a warning that its standards were modified...

So, it looks like it is really chrome but with a malware complement... I am almost sure next time I reboot the computer it will be infected again.

So, I think the infection is on the chrome install program... probably google noticed I had the install program and rather than sending a new one, it used the infected one.

I searched again for the GoogleUpdate.exe file and now I got the following result (attached jpg).

I will reboot system and run another dds scan as well as mbam.
 

Attachments

chemist

· Premium Member
Joined
·
29,813 Posts
#19 ·
Hello again, Eduardo. That doesn't mean all those GoogleUpdate.exe files are bad.

I don't need another dds log. I need to see fresh FRST64 logs, both FRST.txt and Addition.txt log.

Make sure Addition.txt is ticked before clicking 'Scan'.

-----------------------------------------------------
 
Save Share
E

· Registered
Joined
·
56 Posts
Discussion Starter · #20 ·
Hi,

After the boot, chrome browser was effectively hijacked but Mcffee seemed to manage it once I could remove both start page and search engine from chrome settings.

I ran MBAM which found nothing and AdwareCleaner which found two threats. I am attaching its log.

Follows FRST and Addition logs as well.
 

Attachments

1 - 20 of 27 Posts
Status
Not open for further replies.
About this Discussion
26 Replies
2 Participants
Last post:
chemist
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top