Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on July 14, 2016, 06:09:09 PM
-
had this pop up in the last couple days,. i've run FRST, and have attached. if we can work together and help murderize it, that would be greatly appreciated
-
FRST will produce two logs ( additions.txt ) if you followed instructions, so one is missing
See picture for what is selected
-
oh, sorry could of sworn i had that attached....
-
What popup are you seeing? Can you post a screenshot of it?
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2399731810-1161899897-192117391-1000\...\MountPoints2: {3f9720a7-34bd-11e5-a499-8c89a556251a} - "F:\Setup.exe"
CHR StartupUrls: Default -> "hxxp://search.fantastigames.com/453","hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48&sspv=CHAUTOTB","hxxp://search.babylon.com/?affID=110803&tt=4512_2&babsrc=HP_ss&mntrId=3262058b000000000000c0c1c05f6497"
CHR Extension: (Google Drive) - C:\Users\Sean Bauer\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20]
CHR Extension: (Google Search) - C:\Users\Sean Bauer\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sean Bauer\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
U3 idsvc; no ImagePath
2016-07-05 20:02 - 2015-11-24 00:36 - 00166488 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET8F72.tmp
2016-07-05 20:01 - 2015-11-24 00:36 - 09798560 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET882B.tmp
2016-07-05 20:01 - 2015-11-24 00:35 - 10707032 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET8BF9.tmp
2016-07-05 20:01 - 2015-11-24 00:35 - 01515312 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET8FA5.tmp
2016-07-05 19:13 - 2015-11-24 00:31 - 00498176 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\SET8F60.tmp
2016-06-25 20:56 - 2015-11-24 00:36 - 09893144 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET4B9E.tmp
2016-06-25 20:56 - 2015-11-24 00:36 - 00176840 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET5D8A.tmp
2016-06-25 20:56 - 2015-11-24 00:35 - 10809000 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET53FD.tmp
2016-06-25 20:55 - 2015-11-24 00:35 - 01537512 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\SET5DBD.tmp
2016-06-25 20:53 - 2016-05-15 18:38 - 00874008 _____ (AMD) C:\WINDOWS\system32\SET674F.tmp
2016-06-25 20:52 - 2015-11-24 00:31 - 00506904 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\SET5D77.tmp
2016-06-25 20:51 - 2016-05-20 13:57 - 01315352 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\SET4BF1.tmp
2016-01-02 01:16 - 2016-01-02 01:16 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
C:\Users\Sean Bauer\AppData\Local\Temp\AMDCleanupUtility.exe
C:\Users\Sean Bauer\AppData\Local\Temp\CIMManifest.exe
C:\Users\Sean Bauer\AppData\Local\Temp\Cleanup.dll
C:\Users\Sean Bauer\AppData\Local\Temp\ddu.exe
C:\Users\Sean Bauer\AppData\Local\Temp\msvcm80.dll
C:\Users\Sean Bauer\AppData\Local\Temp\msvcp80.dll
C:\Users\Sean Bauer\AppData\Local\Temp\msvcr80.dll
C:\Users\Sean Bauer\AppData\Local\Temp\raptrpatch.exe
C:\Users\Sean Bauer\AppData\Local\Temp\raptr_stub.exe
Task: {0754C8EA-3CCE-4F22-B465-8EB67D003B46} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {22789F4F-21A5-44BE-9052-637FED964FDB} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {2FFE3AA5-DDAA-4947-9C00-BB63FC3FFB0A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {40024AB3-388B-48E4-84E8-1BA5ED5FAF00} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {44C3E914-A4E4-4E11-8A32-2F3596B8BBE1} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5E904F28-B92C-4753-8707-8414A4BD94C0} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {70D2E485-A49C-4179-9733-A966108A5814} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {9EA95270-9B0B-4693-A4BA-CADF62E7997C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {AF567FCA-6D71-43EC-883D-EC309A30A12C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D4D57449-8E76-4AC1-A080-86C8319DDA52} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {F2B47407-6CE8-4985-90BC-12D759F500A8} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
(http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png)
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.
-
ran that, now everytime i open a program, even avast it pops up, it popped up twice for each attachment, saying the same thing
-
Alright; need to dig further for this one....
Run a search with FRST.
- Right click on FRST.exe on your desktop and select "Run as Administrator..." When the tool opens click Yes to disclaimer.
- Type wpad.browsersecurity.in;wpad into the Search Box.
- Press the Search Registry button.
- It will produce a log called search.txt in the same directory the tool is run from.
- Please copy and paste log back here.
Please attach the log search.txt in your reply. Thanks.
-
Farbar Recovery Scan Tool (x64) Version: 13-07-2016 02
Ran by Sean Bauer (2016-07-14 20:39:27)
Running from C:\Users\Sean Bauer\Desktop
Boot Mode: Normal
================== Search Registry: "wpad.browsersecurity.in;wpad" ===========
===================== Search result for "wpad" ==========
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a0-63-91-8f-82-c2]
"WpadDecisionTime"="0xB6A429F1FEC5D101"
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a0-63-91-8f-82-c2]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDecisionReason"="0"
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDecision"="1"
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"
[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork"="{DF714289-BB6C-4C14-8683-ACD28056019D}"
[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDecisionTime"="0x16EE598121AED001"
[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b4-75-0e-59-35-2c]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"
[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF714289-BB6C-4C14-8683-ACD28056019D}]
"WpadDecisionReason"="0"
[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF714289-BB6C-4C14-8683-ACD28056019D}]
"WpadDecision"="1"
[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF714289-BB6C-4C14-8683-ACD28056019D}]
"WpadDetectedUrl"="http://wpad.browserupdatecheck.in/wpad.dat"
====== End of Search ======
-
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
REG: reg delete "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
REG: reg delete "HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
REG: reg add "HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
REG: reg add "HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
(http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png)
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.
-
still stays chrome.exe, svchost.exe and another i didn't get a chance to see were a threat....
-
Please download Check Browsers LNK from here (https://toolslib.net/downloads/viewdownload/80-check-browsers-lnk/).
Double click on the file and accept the UAC permission if it asks.
When done, it will produce a Check_Browsers_LNK.log. Please attach that.
-
done
-
One last scan then I must call it a night (will check the logs again either first in morning or in a bit) ...
Please download Autologger.zip from here (http://tools.safezone.cc/drongo/AutoLogger/AutoLogger.zip).
Double click the file and extract the file (Autologger.exe) to a folder of your choice (I would suggest you name it AutoLogger for ease of location later).
Double click on Autologger.exe to let it run and follow the prompts.
When finished, it will produce a file named CollectionLog-yyyy.mm.dd.zip [with the date of the logs] in the folder with AutoLogger.exe. Please attach that here.
-
won't let me attach the zip, unpack it and just attach it that way?
-
If you unpack it, there should be two log files and two txt files and one more zip file. Save that zip file on your side and attach the other 4 files (2 .log filea and 2 .txt files). Thanks.
-
Thanks by the way
-
Found it! (Fingers crossed)
Thank you the AutoLogger logs. I think we will have to take care of some of the remaining issues a slightly different way now. The following steps will guide you through backing up your registry, assembling the file that will correct the issues and running that fix. IF AT ANY TIME YOU HAVE A QUESTION OR CONCERN ON ANY OF THESE STEPS, STOP AND ASK UNTIL YOU ARE CLEAR AND COMFORTABLE ON THEM.
Step 1
- Please download Registry Backup from here (http://www.tweaking.com/files/setups/tweaking.com_registry_backup_setup.exe).
- Double click to run the installer; even though there is no 'foistware' installed with this program, as good practice, you should read all the instructions on every screen of the install.
- If you let it, the install put a shortcut to the program on your desktop; either click on this or goto START > All Programs > Tweaking.com > Registry Backup > Tweaking.com - Registry Backup to start the program. Click Yes in reply to the User Account Control if it askes.
- Please leave the backup storage setting at the default (if anything happens, I can tell you how to get there and restore the registry as this location is the same on every system).
- Click on Backup Now to start the backup process; a progress window will open and show you the status of the backup. When complete, the program will state Successful and you can close the program.
Step 2
- Please open Notepad.exe by going to START > Run
- Type notepad.exe into the Run box
- Then press ENTER.
- Once Notepad is running, please copy the following text inside the Code box below (do not copy the Code in the title bar) by highlighting all the text inside the box (or clicking on Select next to Code), right clicking and selecting Copy.
Windows Registry Editor Version 5.00
[-HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
[-HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
[HKEY_USERS\S-1-5-21-2399731810-1161899897-192117391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
[HKLM\System\CSS\Services\Tcpip\Parameters]
"SearchList"=-
[HKLM\System\ControlSet001\Services\Tcpip\Parameters]
"SearchList"=-
- Once you have done that, return to Notepad and click on Edit on the menu bar and select Paste in the drop down menu. Notepad will paste a copy of the text you selected from the Quote box.
- Next, click on File on the menu bar and select Save As.
- Navigate to your desktop in the left hand tree view window.
- Type Regfix.reg in the file name edit bar.
- Click on the Save as type: bar and select All Files (*.*) from the drop down list.
- Now click on SAVE. This should have saved a file named Regfix.reg on your desktop. You can close Notepad.exe now.
Step 3
- Close your browsers (Internet Explorer and FireFox) if you have them open.
- Double click on the Regfix.reg file you just saved on the desktop.
- If a User Account Control window opens, select Yes to continue.
- When the Registry Editor warning window opens, select Yes to allow the file to correct the errors in your registry.
- When the file has been merged into your registry, a window will inform you that the operation was successful.
- Please restart your system for the repair to take affect. (Note: After the restart, your ESET may start giving you popups about found malware. This is normal now and you should do a full scan of your system.)
Next Reply Post from You - Things to Include Please
- Any questions about this fix.
- Any problems you encountered performing this routine.
- How is your system running now?
-
cool, had a couple of pop ups, will have to see how it goes over the next few days just to be sure. all Internet functionality halt last night after the last post (connected to net, but nothing would go through), but that cleared up just before you posted. i'll give it a 24-48 hour settling time to see if anything crops up
-
I will be looking for your reply; please let me know either way. Thanks.
-
had a couple popup for chrome, but only when i initially start it
-
If this is only on Chrome (no other browsers) then try the following:
First, try resetting the Chrome User Profile >>>>
Enter the keyboard shortcut (Windows key + E) to open Windows Explorer.
In the Windows Explorer window that appears enter the following in the address bar.
Windows XP: [font color="#008000"]%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\[/font]
Windows Vista/ Windows 7/ Windows 8: [font color="#008000"]%LOCALAPPDATA%\Google\Chrome\User Data\[/font]
Locate the folder called "Default" in the directory window that opens and rename it as "Backup default."
Try opening Google Chrome again. A new "Default" folder is automatically created as you start using the browser.
If that fails to fix the problem, uninstall and reinstall Chrome >>>>
First, download a fresh copy of the Chrome installer:
32 bit systems -32 bit here (http://www.google.com/chrome/eula.html?standalone=1)
64 bit systems - 64 bit here (http://www.google.com/chrome/eula.html?standalone=1&platform=win64)
Note: Save the download file to your desktop for easy finding later.
Next, uninstall Chrome using the Control Panel Remove program app:
Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):
Google Chrome
To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.
Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.
Last, restart your system and install Chrome:
Double click on the install file on your desktop (from the First step) to run the installer.
Please use Chrome after the installation and check for any problems. If none, then you are done. If there are problems then continue to the following scan.