| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 139694 | 2015-06-13 00:35:00 | Web browsers hijacked | Sam Bos (12456) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1402615 | 2015-06-13 00:35:00 | Hi there, Lately all my web browsers seem to be getting hijacked. I mainly use Chrome but after seeing issues I check IE and Firefox as well (all installed on my PC) and the exhibit the same or similar issues. I'll notice it when I open a browser - the homepage has been redirected to a different website, and the default search provider has also been changed.. So far it's been lucky searches, delta homes, v9.com. If I try to change the default homepage, it'll just revert back to the unwanted one. Also I'll find some sort of program has installed itself (looking at the list of installed Programs in Control Panel). So far I've managed to clean it all up just by running Malwarebytes and Avast (the lucky searches one was a **** to get rid of) but it seems like every week there's a new one that's installed itself. Opened up Chrome this morning to find the latest one (v9.com) so I thought I'd take a log of the Malwarebytes scan and HiJackThis and let you guys have a look. Here is the Malwarebytes log (HiJackThis log is underneath). Thanks for your help! ================================================== === Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 13/06/2015 Scan Time: 10:45:58 a.m. Logfile: Malwarebytes 13062015.txt Administrator: Yes Version: 2.01.6.1022 Malware Database: v2015.06.12.07 Rootkit Database: v2015.06.02.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows Vista Service Pack 2 CPU: x86 File System: NTFS User: Sam Scan Type: Threat Scan Result: Completed Objects Scanned: 381487 Time Elapsed: 35 min, 24 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Warn PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 7 PUP.Optional.SuperOptimizer.C, HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}, , [c0170cad0f7be650cb46830963a26d93], PUP.Optional.SuperOptimizer.C, HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}, , [4b8c3b7e99f1280ed53d137945c053ad], PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428A-92C9-0CFC28B9D1BF}, , [bb1c9d1ce6a43402c93e681b59ac718f], PUP.Optional.SuperOptimizer.C, HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, , [6e69b900fb8f6bcb7799197331d47a86], PUP.Optional.SuperOptimizer.C, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, , [6b6c2c8d9bef181ecf4177152fd6ee12], PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428A-92C9-0CFC28B9D1BF}, , [1cbb7c3d226849ed62a486fd798c52ae], PUP.Optional.ProductSetup.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\PRODUCTSETUP, , [0bccf7c25238ea4c893c9dee8d7831cf], Registry Values: 4 PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428a-92C9-0CFC28B9D1BF}|URL, www.v9.com , [bb1c9d1ce6a43402c93e681b59ac718f] PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428a-92C9-0CFC28B9D1BF}|FaviconURL, www.v9.com , [cc0b8039662472c4a265c7bc62a303fd] PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428a-92C9-0CFC28B9D1BF}|URL, www.v9.com , [1cbb7c3d226849ed62a486fd798c52ae] PUP.Optional.ProductSetup.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\PRODUCTSETUP|tb, 0Q2P2X1C1N1K0J2X2X1G1M1F2V, , [0bccf7c25238ea4c893c9dee8d7831cf] Registry Data: 8 PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[f5e2bbfe9af061d5a83436ff6c9a2fd1] PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[c90eaa0f59312412bc20eb4a09fd2ed2] PUP.Optional.V9.A, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[22b55b5e17731c1af5e167ce7591c937] PUP.Optional.V9.A, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[399ec4f56129a19534a2a88dd63013ed] PUP.Optional.V9.A, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[a82f0cad8802ba7cb4225bda897d738d] PUP.Optional.V9.A, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[ffd8cfea8406f44284523df861a55fa1] PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[b91e7c3df19948ee30a6f93ce91d2ed2] PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c" target="_blank">www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http:),,[7562a910a7e373c3ca0c69ccae582ed2] Folders: 1 FraudTool.YAC, C:\Program Files\Elex-tech\YAC, , [13c48a2fe2a8fc3a523cd0174ab960a0], Files: 17 FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B89.tmp, , [4196ceebf199a096308dad8eeb1734cc], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B9A.tmp, , [e3f4942554360a2c10ad7fbcff0348b8], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B9B.tmp, , [87509a1ff694b680e5d86ecd6f93748c], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B9C.tmp, , [cd0ae6d378121b1b9429e85301010af6], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1BAC.tmp, , [23b4a4151c6ead892c91b18ac83a0bf5], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1BCC.tmp, , [439419a04149f73f4a73ab902ad8a759], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1C0C.tmp, , [4c8b12a7f991af87ecd184b7cf33b848], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1C2C.tmp, , [08cffdbc0c7ecb6b8b3243f8808225db], FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1C2D.tmp, , [e3f4bcfdc4c63105ba0356e58280ab55], PUP.Optional.V9.A, C:\Users\Administrator\AppData\Roaming\Mozilla\Fir efox\Profiles\ml8bm2uc.default\searchplugins\V9.xm l, , [389f3c7d7b0f85b142912000659f8c74], PUP.Optional.V9.A, C:\Users\Sam\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.v9.com_0.localstorage, , [389fc1f80189dc5abe3e9593ec18ab55], PUP.Optional.V9.A, C:\Users\Sam\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.v9.com_0.localstorage-journal, , [409740795238e2542dcfd652b74de719], PUP.Optional.V9.A, C:\Users\Administrator\AppData\Roaming\Mozilla\Fir efox\Profiles\ml8bm2uc.default\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[f7e0c3f62e5c7cba4f53d0b08383916f] PUP.Optional.V9.A, C:\Users\Administrator\AppData\Roaming\Mozilla\Fir efox\Profiles\ml8bm2uc.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[f6e15b5ee7a3f541b90ca8d8877fbb45] PUP.Optional.V9, C:\Users\Sam\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences, Good: ("session":{"restore_on_startup":5}}), Bad: ("session":{"restore_on_startup":4,"startup_urls":["http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c"]},"sync":{"remaining_rollback_tries":0}}), ,[8552f3c67416092dff7d384a81853bc5] PUP.Optional.V9.A, C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profi les\7cwxdlv1.default\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[686f05b4a1e9c76f6042b6ca15f1a65a] PUP.Optional.V9.A, C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profi les\7cwxdlv1.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[65720faa35554beb2c99e0a0d036af51] Physical Sectors: 0 (No malicious items detected) (end) ================================================== === ================================================== === Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:15:40 a.m., on 13/06/2015 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16659) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Program Files\Elex-tech\YAC\iSafeTray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\AVAST Software\Avast\avastui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Unified Remote\RemoteServer.exe C:\Windows\ehome\ehtray.exe C:\Program Files\RemotelessHelper\RemotelessHelper.exe C:\Program Files\CCleaner\CCleaner.exe C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe C:\Program Files\AutoHotkey\AutoHotkey.exe C:\Users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.e xe C:\Program Files\Logitech\SetPointP\SetPoint.exe C:\Windows\ehome\ehmsas.exe C:\Users\Sam\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wuauclt.exe C:\Windows\explorer.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Malwarebytes Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll O2 - BHO: DVDVideoSoft.WebPageAdjuster - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [Unified Remote v2] C:\Program Files\Unified Remote\RemoteServer.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [RemotelessHelper] "C:\Program Files\RemotelessHelper\RemotelessHelper.exe" O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?') O4 - HKUS\S-1-5-21-3896505289-1607041351-1423294743-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [Unified Remote v2] C:\Program Files\Unified Remote\RemoteServer.exe (User '?') O4 - HKUS\S-1-5-21-3896505289-1607041351-1423294743-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart (User '?') O4 - S-1-5-21-3896505289-1607041351-1423294743-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 Startup: Dropbox.lnk = Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe (User '?') O4 - Startup: Dropbox.lnk = Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe O4 - Global Startup: WinVista Create New Folder Script.ahk O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Free YouTube Download - C:\Program Files\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe O9 - Extra 'Tools' menuitem: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll O9 - Extra 'Tools' menuitem: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Avast Antivirus (avast! Antivirus) - Avast Software s.r.o. - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: AvastVBox COM Service (AvastVBoxSvc) - Avast Software - C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe O23 - Service: GSService - Unknown owner - C:\Windows\system32\GSService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: iGroupTec Service (IGBASVC) - Unknown owner - C:\Program Files\Acer\Acer Bio Protection\BASVC.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: YAC Service (iSafeService) - Elex do Brasil Participações Ltda - C:\Program Files\Elex-tech\YAC\iSafeSvc.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: TeamViewer 9 (TeamViewer9) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe O23 - Service: WACService - Wondershare - C:\Program Files\Wondershare\Wondershare Application Center\WACService.exe O23 - Service: WinZiper service (winzipersvc) - Taiwan Shui Mu Chih Ching Technology Limited. - C:\Program Files\WinZipper\winzipersvc.exe -- End of file - 11512 bytes ================================================== === |
Sam Bos (12456) | ||
| 1402616 | 2015-06-13 01:02:00 | You have quite a bit of crap in there Optional.SuperOptimizer malwaretips.com by running the tools here should also get FraudTool.YAC ,this is from YAC Cleaner which is bad,you will have this installed in your programs Also run Junkware Removal Tool thisisudax.org Then run another Highjack this log and see what else is left to remove |
Lawrence (2987) | ||
| 1402617 | 2015-06-13 04:21:00 | Run adwcleaner as well (toolslib.net). Click on scan wait for it to finish then click on clean then reboot Tick these in hjt O2 - BHO: (no name) - AutorunsDisabled - (no file) These dont have to be in startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime Disable this in ccleaner O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR Update Teamviewer its up to 10.x something now This O23 - Service: YAC Service (iSafeService) - Elex do Brasil Participações Ltda - C:\Program Files\Elex-tech\YAC\iSafeSvc.exe May have installed all those fraudtool entries Uninstall it |
Speedy Gonzales (78) | ||
| 1402618 | 2015-06-13 22:10:00 | Google is your friend with this - I removed it from a relative's laptop this week. Spybot finds it and I think Malwarebytes did too Just be aware though that one of the fixes I found in Google requires a paid version of the tool to remove the bugs |
Chris Randal (521) | ||
| 1402619 | 2015-06-13 23:57:00 | You dont need ANY paid software to remove those. The reason it keeps returning is because its still installed someplace. Generally those types of infections will be bundled with someother program that's installed, sometimes on purpose sometimes on their own. Unless you remove the program (S) and remove all signs from the add-ins on your browsers, as well as from the registry it WILL reinfect. 1st thing I'd be doing is dumping Avast - its useless. Along with the programs Lawrence linked, use www.bleepingcomputer.com also run EEK in FULL scan mode after updating it www.emsisoft.com Install a better Antivirus, Nod32 - set it to scan fully, NOT the default install. To Setup correctly there's a video I made and posted a while back, but heres the link vimeo.com Also run Ccleaner to get rid of temp file as sometimes they will sit in there as well. Once all the above have been run ( could take all day) open Ccleaner, reg cleaner section and scan / remove the left overs. Again -- If it reinfects then you have missed something. --- Enjoy :) |
wainuitech (129) | ||
| 1402620 | 2015-06-14 00:14:00 | Emsisoft Emergency Kit (EEK),if you think you have a clean system run Emsisoft Emergency Kit It asks you if you want PUP's included before it's run,very surprising whats found(only delete what you have researched is bad) |
Lawrence (2987) | ||
| 1402621 | 2015-06-16 02:26:00 | beside all the good advice given above also right click on icon shortcut for your browser goto properties and check the path to the exe you may find a url tagged onto the end of the path to the executable ie C:\Program Files (x86)\Mozilla Firefox\firefox.exe" www.xxxx.xx delete the url up untill the last " check all browser icons. |
beama (111) | ||
| 1402622 | 2015-06-20 12:46:00 | Thanks everyone, I ran through most of the suggestions above (apart from Rogue Killer - it kept blue-screening everytime I tried to run it). But it all seems to be ok now, here's the latest HJT log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:46:44 p.m., on 20/06/2015 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16659) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\AVAST Software\Avast\avastui.exe C:\Program Files\Logitech\SetPointP\SetPoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Unified Remote\RemoteServer.exe C:\Windows\ehome\ehtray.exe C:\Program Files\RemotelessHelper\RemotelessHelper.exe C:\Program Files\CCleaner\CCleaner.exe C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe C:\Program Files\AutoHotkey\AutoHotkey.exe C:\Windows\ehome\ehmsas.exe C:\Users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.e xe C:\Users\Sam\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Unified Remote v2] C:\Program Files\Unified Remote\RemoteServer.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [RemotelessHelper] "C:\Program Files\RemotelessHelper\RemotelessHelper.exe" O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe" O4 - HKCU\..\Run: [Dropbox Update] "C:\Users\Sam\AppData\Local\Dropbox\Update\DropboxU pdate.exe" /c O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Dropbox.lnk = Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe O4 - Global Startup: WinVista Create New Folder Script.ahk O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Free YouTube Download - C:\Program Files\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Avast Antivirus ( avast! Antivirus) - Avast Software s.r.o. - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: AvastVBox COM Service (AvastVBoxSvc) - Avast Software - C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: iGroupTec Service (IGBASVC) - Unknown owner - C:\Program Files\Acer\Acer Bio Protection\BASVC.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: TeamViewer 10 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer\TeamViewer_Service.exe O23 - Service: WACService - Wondershare - C:\Program Files\Wondershare\Wondershare Application Center\WACService.exe -- End of file - 8164 bytes |
Sam Bos (12456) | ||
| 1402623 | 2015-06-20 21:02:00 | Looks OK to me | Speedy Gonzales (78) | ||
| 1402624 | 2015-06-21 02:07:00 | Cool, thanks Speedy | Sam Bos (12456) | ||
| 1 2 | |||||