every click a new window opens - Page 2

Soudager · #16 May 11th, 2018, 05:18 PM

You have been a great help. Thanks a million.
And anything else needs to be done?

olgun52 · #17 May 12th, 2018, 11:43 PM

Thanks for the logs.

Download and SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

Quit all programs that you may have started.
Please disconnect any external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
Exit/Close RogueKiller+

Send me the reports made from MBAR.

----------------------------------------------
:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

Code:

Folder::
c:\users\Soudager\AppData\Local\Henotu
c:\users\Soudager\AppData\Local\Cobaro
c:\users\Soudager\AppData\Local\hodor
c:\users\Soudager\AppData\Local\Nilorer

FireFox:: 
FF - prefs.js: browser.search.selectedEngine - Search Provided by Yahoo
FF - user.js: xpinstall.signatures.required - false

Save it to your desktop as CFScript.txt

Drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"İnformation and logs"

In your next post I need the following
- Report from Combofix
- RogueKiller report.
- let me know of any problems you may have had
- How is the computer doing now after running the script?

----------------------------------------------------------

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

Internet Explorer: Backup Internet Explorer Favourites
Firefox:Backup Firefox Bookmarks
Chrome: Backup Chrome Bookmarks

Proceed with the reset once done.

Internet Explorer: How to reset Internet Explorer settings
Firefox:Reset Firefox
Chrome: Chrome - Reset browser settings

Have a nice day.

Soudager · #18 May 13th, 2018, 06:45 AM

RogueKiller V12.12.16.0 (x64) [May 4 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600) 64 bits version
Started in : Normal mode
User : Soudager [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/13/2018 10:22:15 (Duration : 00:29:20)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \{4D71AD05-713E-250A-0318-221077F30F98}\synhelper -- C:\Users\Soudager\AppData\Local\hodor\SYNHEL~1.EXE (/Check) -> Not selected

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 5 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : Share With Care [jjflmfkjppbmejlfbhlpgjnomdoefkfa] -> Deleted
[PUM.SearchEngine][Firefox:Config] nawte7v5.default : user_pref("browser.search.selectedEngine", "Search Provided by Yahoo"); -> Deleted
[PUM.SearchEngine][Firefox:Config] nawte7v5.default : user_pref("browser.search.defaultenginename", "Search Provided by Yahoo"); -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://www.houseofquran.com/] -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.houseofquran.com/|https:/...ate&uref=chmm] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVT-60A23T0 ATA Device +++++
--- User ---
[MBR] 9c4988aebec3de4a023e014a316c8042
[BSP] b8510907608e0b1e5a2209ca063fb59c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 123086848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245966848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Soudager · #19 May 13th, 2018, 06:51 AM

I couldn't find 'delete' after Rogue Killer ran scan.

I found Remove. I selected some things and clicked removed them, though you had told me in the earlier mail not to remove everything since all found is not a threat.

I posted the report file.

I couldn't find '2' log files.

(And when I had run the Rogue Killer earlier I had disabled Malwarebyte. This time I enabled it and ran the scan.)

I don't know what went wrong . My 2 year old son may have clicked something.

So I have run the Rogue Killer again. I will post that log after this.

Thanks

Soudager · #20 May 13th, 2018, 06:56 AM

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/13/18
Scan Time: 10:13 AM
Log File: 3656a0ad-5668-11e8-97c9-70f395583f2d.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.5088
License: Trial

-System Information-
OS: Windows 7
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 274630
Threats Detected: 20
Threats Quarantined: 19
Time Elapsed: 16 min, 16 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 3
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\_metadata, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JJFLMFKJPPBMEJLFBHLPGJNOMD OEFKFA, Quarantined, [389], [176560],1.0.5088

File: 17
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\_metadata\computed_hashes.json, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\_metadata\verified_contents.json, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\background.js, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\bookmarklet.js, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\icon-128.png, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\icon-16.png, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\icon-48.png, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\manifest.json, Quarantined, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Removal Failed, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [389], [176560],1.0.5088
PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [389], [176560],1.0.5088
PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [246], [454803],1.0.5088
PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [246], [454803],1.0.5088
PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [246], [454803],1.0.5088
PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [246], [454803],1.0.5088
PUP.Optional.ASK, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [2], [454827],1.0.5088
PUP.Optional.ASK, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454827],1.0.5088

Physical Sector: 0
(No malicious items detected)

(end)

Soudager · #21 May 13th, 2018, 07:15 AM

RogueKiller V12.12.16.0 (x64) [May 4 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600) 64 bits version
Started in : Normal mode
User : Soudager [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/13/2018 11:09:04 (Duration : 00:33:00)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \{4D71AD05-713E-250A-0318-221077F30F98}\synhelper -- C:\Users\Soudager\AppData\Local\hodor\SYNHEL~1.EXE (/Check) -> Deleted

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVT-60A23T0 ATA Device +++++
--- User ---
[MBR] 9c4988aebec3de4a023e014a316c8042
[BSP] b8510907608e0b1e5a2209ca063fb59c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 123086848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245966848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Soudager · #22 May 13th, 2018, 07:16 AM

I still couldn't find 2 log files

olgun52 · #23 May 14th, 2018, 09:47 PM

Thanks for the logs.

Code:

I couldn't find '2' log files.

I don't know what went wrong . My 2 year old son may have clicked something.

Okay no problem.

Did you forget to run CFScript? Please run CFScript.

Soudager · #24 May 18th, 2018, 05:44 AM

1. When I dragged CFScript into ComboFix it started running but said that updates are available so I clicked 'update" ut . It got updated and then while I waited nothing was happening so I dragged the CFScript into ComboFix.

2.I started to run but showed the following thing:

Quote:

Error opening file for writing:
C:\32788R22FWJFW\NirCmd.3XE
Click Abort to stop installation,
Retry to try again, or
Ignore to skip this file.

I clicked Retry.

3. Now after I clicked retry, another message window popped up.

Quote:

ComboFix has detected the following real time scanner(s) to be active:

Antivirus: Malwarebytes
Antispyware: Malwarebytes

Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage.

Please disable these scanners before clicking 'OK'

4. So I turned off the tabs in the Malwarebytes and then clicked OK to allow ComboFix to run further.
(I had got this window earlier too )

5. I will post the Log.

Soudager · #25 May 18th, 2018, 05:45 AM

ComboFix 18-05-17.01 - Soudager 05/18/2018 9:47.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1976.1012 [GMT 5.5:30]
Running from: c:\users\Soudager\Desktop\ComboFix.exe
Command switches used :: c:\users\Soudager\Desktop\CFScript.txt
AV: Malwarebytes *Disabled/Updated* {23007AD3-69FE-687C-2629-D584AFFAF72B}
SP: Malwarebytes *Disabled/Updated* {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Soudager\AppData\Local\Cobaro
c:\users\Soudager\AppData\Local\Henotu
c:\users\Soudager\AppData\Local\hodor
c:\users\Soudager\AppData\Local\hodor\fob.txt
c:\users\Soudager\AppData\Local\hodor\gonefapud
c:\users\Soudager\AppData\Local\hodor\nugag.txt
c:\users\Soudager\AppData\Local\hodor\tapedomi
c:\users\Soudager\AppData\Local\Nilorer
c:\users\Soudager\AppData\Local\Nilorer\Bahedi.exe
.
.
((((((((((((((((((((((((( Files Created from 2018-04-18 to 2018-05-18 )))))))))))))))))))))))))))))))
.
.
2018-05-18 04:22 . 2018-05-18 04:22 -------- d-----w- c:\users\Guest\AppData\Local\temp
2018-05-18 04:22 . 2018-05-18 04:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2018-05-11 12:24 . 2018-05-13 05:39 28272 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2018-05-11 12:24 . 2018-05-11 15:37 -------- d-----w- c:\programdata\RogueKiller
2018-05-11 12:23 . 2018-05-13 04:51 -------- d-----w- c:\program files\RogueKiller
2018-05-11 11:57 . 2018-05-18 03:53 253664 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2018-05-08 12:55 . 2018-05-08 12:55 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BDEB36F0-5DB5-48DF-96C1-83B8BC9F3AD9}\offreg.dll
2018-05-06 01:52 . 2018-03-19 07:27 76192 ----a-w- c:\windows\system32\drivers\mbae64.sys
2018-05-06 01:52 . 2018-05-06 01:52 -------- d-----w- c:\programdata\Malwarebytes
2018-05-06 01:52 . 2018-05-06 01:52 -------- d-----w- c:\program files\Malwarebytes
2018-05-03 15:00 . 2018-05-14 09:04 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\S portsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2018-05-03 15:00 . 2018-05-14 09:03 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\UpdateableMarkup-2\markup.dll
2018-05-03 15:00 . 2018-05-14 09:03 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\dSM-2\StartResources.dll
2018-05-03 15:00 . 2018-05-18 03:59 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight-2\SpotlightResources.dll
2018-05-02 14:03 . 2018-05-02 14:22 -------- d-----w- C:\AdwCleaner
2018-05-02 13:22 . 2018-05-02 13:22 -------- d-----w- c:\program files\VS Revo Group
2018-05-01 06:12 . 2018-05-18 04:00 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\S portsTemplateCore\Microsoft.MediaCenter.Sports.UI. dll
2018-05-01 06:12 . 2018-05-18 03:59 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\UpdateableMarkup\markup.dll
2018-05-01 06:11 . 2018-05-18 03:59 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\dSM\StartResources.dll
2018-05-01 06:11 . 2018-05-11 06:50 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
2018-04-29 01:05 . 2018-05-11 11:22 62902208 ----a-w- c:\users\Soudager\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
2018-04-27 02:37 . 2018-05-06 01:41 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2018-05-09 15:51 . 2012-10-16 19:56 804864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2018-05-09 15:51 . 2012-08-28 14:29 144896 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2741616]
"Skype for Desktop"="c:\program files (x86)\Microsoft\Skype for Desktop\Skype.exe" [2018-04-24 49654216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-05-19 295512]
.
c:\users\Soudager\AppData\Roaming\Microsoft\Window s\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MBAMService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET \Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\w indows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 EraserUtilDrv11520;EraserUtilDrv11520;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11520.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11520.sys [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys; c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\w indows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c: \windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc. exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc. exe [x]
S3 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\Dr ivers\mbamswissarmy.sys;c:\windows\SYSNATIVE\Drive rs\mbamswissarmy.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c: \windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c :\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - ESProtectionDriver
*Deregistered* - MBAMWebProtection
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-03-04 06:59 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.43.1
FF - ProfilePath - c:\users\Soudager\AppData\Roaming\Mozilla\Firefox\ Profiles\nawte7v5.default\
FF - user.js: xpinstall.signatures.required - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-RealPlayer 16.0 - c:\program files (x86)\real\realplayer\Update\r1puninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macrome d\\Flash\\FlashUtil64_29_0_0_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUt il64_29_0_0_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macrome d\\Flash\\FlashUtil32_29_0_0_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUt il32_29_0_0_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.29"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2018-05-18 09:55:31
ComboFix-quarantined-files.txt 2018-05-18 04:25
ComboFix2.txt 2018-05-11 12:12
.
Pre-Run: 10,722,299,904 bytes free
Post-Run: 10,661,695,488 bytes free
.
- - End Of File - - 3AF190B337075B83889471772B5A7C66
A36C5E4F47E84449FF07ED3517B43A31

Soudager · #26 May 18th, 2018, 06:43 AM

RogueKiller V12.12.16.0 (x64) [May 4 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600) 64 bits version
Started in : Normal mode
User : Soudager [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/18/2018 10:44:12 (Duration : 00:24:47)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVT-60A23T0 ATA Device +++++
--- User ---
[MBR] 9c4988aebec3de4a023e014a316c8042
[BSP] b8510907608e0b1e5a2209ca063fb59c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 123086848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245966848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Soudager · #27 May 18th, 2018, 06:46 AM

I don't have the windows opening up. But I worry if they will appear once the Malwarebytes expires.

Are we done?

What precautions should I take for this not to repeat?

Thanks to be with me for so long.

olgun52 · #28 May 19th, 2018, 12:30 AM

Quote:

I don't have the windows opening up. But I worry if they will appear once the Malwarebytes expires.

Glad to hear that.
No problem. You can buy the MalwareBytes software. Or you can only use it for browsing and as passive.

Quote:

Are we done?

Please do this;

ESET Online Scanner:

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

Please visit the ESET Online Scanner website
Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
Double click esetonlinescanner_enu.exe. Accept the Terms of Use
Select Enable detection of potentially unwanted applications
In Advanced Settings: make sure that Clean threats automatically is unchecked
And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
Click Scan
The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
When completed, the program will begin to scan. This may take several hours. Please, be patient.
Do not do anything on your machine as it may interrupt the scan.
When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
Delete found harmful. Place a checkmark at Delete application's data on close, click Finish and close the program.

Don't forget to re-enable previously switched-off protection software!

Have a nice day.

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
click a link on a webpage and an incorrect tab opens	gaesilva	Malware Removal	27	February 24th, 2021 08:23 PM
A new window opens with every click	Soudager	Windows 7	1	February 26th, 2016 03:32 AM
Drive opens in new window	terry12	Windows XP	1	December 8th, 2007 02:46 PM
link opens pop-up window	DJoe	Web Development & Graphic Design	7	October 2nd, 2005 09:27 PM
Click on MP3 link, file opens in same browser window w/MediaPlayer,but file doesnt DL	wh00t	Windows 98	4	March 6th, 2002 04:55 AM