Redirect Virus and regsvr32.exe process

[REDACTED]

i used adwcleaner , JRT and malwarebytes to remove viruses, trojans and adwares from friend's laptop
seems all virus removed but still gets repeatedly warning massage by malwarebytes that i gets redirect throw  regsvr32.exe process   to 2.winsrw.com or 3.winsrw.com or 4.winsrw.com
thats weird i found regsvr32 is legmate process installed System32 folder

then i use rkill to stop all process and i disconnect internet and rescan by malwarebytes which found :
Spyware.Boaxxe ,Trojan.Agent.VBS,PUP.Optional.PowerShellSP

and successfully delete them
now every things looks fine and no more warning by malwarebytes
no more threats found by adwcleaner but JRT still found and deleted  File System that wont be removed ( it may refer to windows update )

when i read farbar scan logs seems i still gets redirect throw hxxp or something like that
would u plz check the attached fresh farbar scan and JRT for any threats appear  !!!!

THANKS IN ADVANCED

[Pondus]

would u plz check the attached fresh farbar scan and JRT for any threats appear  !!!!

Malware expert is probably online tomorrow   

you may also attach Malwarebytes log so he can see what was found and removed

[REDACTED]

Sure ,,herewe go with first scan by Malwarebytes

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/19/2016
Scan Time: 09:24 ã
Logfile: first malware.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.09.22.05
Rootkit Database: v2016.09.26.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7
CPU: x86
File System: NTFS
User: Saybolt

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312460
Time Elapsed: 12 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.MWF.Gen, HKU\S-1-5-21-409850422-3690390440-2005932435-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Microsoft Windows Manager, C:\Users\Saybolt\M-505045058025025030484340240\winmgr.exe, Quarantined, [a9443cf614777abc2288a1c8cd36d12f]

Registry Data: 0
(No malicious items detected)

Folders: 2
Trojan.Agent, C:\Users\Saybolt\M-505045058025025030484340240, Quarantined, [0ae3d35fb1da72c48ef969949c6632ce],
Trojan.Agent, C:\Users\Saybolt\M-50504578098001680130302404020840, Quarantined, [09e461d142495fd7117628d57b87c53b],

Files: 4
Trojan.Bot.RV, C:\Temp\TrustedInstaller.exe, Quarantined, [bb322d056724f83e58aa6daa4ab67090],
Trojan.Agent, c:\Users\Saybolt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iubrslus.exe, Delete-on-Reboot, [b93444ee5c2ff93de05796021fe1d32d],
Trojan.MWF.Gen, C:\Users\Saybolt\M-505045058025025030484340240\winmgr.exe, Quarantined, [a9443cf614777abc2288a1c8cd36d12f],
Trojan.Agent, C:\Users\Saybolt\M-50504578098001680130302404020840\windrv.exe, Quarantined, [09e461d142495fd7117628d57b87c53b],

Physical Sectors: 0
(No malicious items detected)


(end)

[REDACTED]

here is after using rkill immediately

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/20/2016
Scan Time: 03:40 Õ
Logfile: kilmal log.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.19.13
Rootkit Database: v2016.09.26.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7
CPU: x86
File System: NTFS
User: Saybolt

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 265783
Time Elapsed: 9 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUP.Optional.PowerShellSP, HKU\S-1-5-21-409850422-3690390440-2005932435-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|{89C62D4D-5E03-4F95-80F5-F6D9C2DAF1A7}, C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\DSDZOLE').QGLVIXA)));, Quarantined, [32e7eab1dfbb9c9a47759d34d52fa45c]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Spyware.Boaxxe, C:\Users\Saybolt\AppData\Local\Encmtion\ekwxovoeri.exe, Quarantined, [32e7217a7e1cd85e6a1918f93acbb848],
Trojan.Agent.VBS, C:\Users\Saybolt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs, Quarantined, [c1589407cecc1e180c2cd1ccd62e629e],

Physical Sectors: 0
(No malicious items detected)


(end)

[REDACTED]

and here is sample of Protection Log

BOLT-PC, Protection, Malicious Website Protection, Started,
Detection, 10/20/2016 12:15 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.99, 49161, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:15 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.99, 49161, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:16 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.69, 49168, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:16 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.69, 49168, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:17 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 148.251.236.101, 49171, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:17 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 148.251.236.101, 49171, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:17 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.5, 49177, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:17 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.5, 49177, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:18 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.94, 49180, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:18 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.94, 49180, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:18 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.9, 49186, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:18 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.9, 49186, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:19 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 62.210.250.215, 49191, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:19 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 62.210.250.215, 49191, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:19 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.90, 49194, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:19 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.90, 49194, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:20 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 5.9.12.146, 49214, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:20 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 5.9.12.146, 49214, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:20 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.24.248, 49217, Outbound, C:\Program Files\Internet Explorer\iexplore.exe,
Detection, 10/20/2016 12:20 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.24.248, 49217, Outbound, C:\Program Files\Internet Explorer\iexplore.exe,
Detection, 10/20/2016 12:21 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.86, 49219, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:21 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.86, 49219, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:21 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.45, 49223, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:21 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.45, 49223, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:22 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.100, 49227, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:22 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.100, 49227, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:22 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 89.163.144.64, 49239, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:22 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 89.163.144.64, 49239, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:22 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.24.248, 49244, Outbound, C:\Program Files\Internet Explorer\iexplore.exe,
Detection, 10/20/2016 12:23 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.7, 49246, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:23 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.7, 49246, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:23 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.147.14, 49253, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:23 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.147.14, 49253, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:24 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.83, 49257, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:24 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.83, 49257, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:24 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.89, 49268, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:24 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 138.201.125.89, 49268, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:25 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.24.248, 49274, Outbound, C:\Program Files\Internet Explorer\iexplore.exe,
Detection, 10/20/2016 12:25 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.79, 49335, Outbound, C:\Windows\System32\regsvr32.exe,
Detection, 10/20/2016 12:25 Õ, SYSTEM, SAYBOLT-PC, Protection, Malicious Website Protection, IP, 136.243.110.79, 49335, Outbound, C:\Windows\System32\regsvr32.exe,

[REDACTED]

damn another Trojan appear now (only appear when i use rkill and disconnect internet

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/20/2016
Scan Time: 11:15 ã
Logfile: fresh mal.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.20.10
Rootkit Database: v2016.09.26.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7
CPU: x86
File System: NTFS
User: Saybolt

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 271627
Time Elapsed: 26 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Hijack.Trojan.Siredef.C, HKU\S-1-5-21-409850422-3690390440-2005932435-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, Quarantined, [92e82a715f3b66d0431ff20f11ef9a66],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[REDACTED]

HOSTS file entries found NOW  !!!


Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/21/2016 12:02:34 AM in x86 mode.
Windows Version: Windows 7 Ultimate

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\system32\HPSIsvc.exe (PID: 2148) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * C:\Windows\System32\user32.dll : 811,520 : 07/14/2009 04:16 AM : 8626f0c30d4e3564ffdd25c90f4426f1 [NoSig]
 +-> C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll : 811,520 : 07/14/2009 04:16 AM : 34b7e222e81fafa885f0c5f2cfa56861 [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
  0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
  0.0.0.0 media.opencandy.com
  0.0.0.0 cdn.opencandy.com
  0.0.0.0 tracking.opencandy.com
  0.0.0.0 api.opencandy.com
  0.0.0.0 api.recommendedsw.com
  0.0.0.0 installer.betterinstaller.com
  0.0.0.0 installer.filebulldog.com
  0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
  0.0.0.0 inno.bisrv.com
  0.0.0.0 nsis.bisrv.com
  0.0.0.0 cdn.file2desktop.com
  0.0.0.0 cdn.goateastcach.us
  0.0.0.0 cdn.guttastatdk.us
  0.0.0.0 cdn.inskinmedia.com
  0.0.0.0 cdn.insta.oibundles2.com
  0.0.0.0 cdn.insta.playbryte.com
  0.0.0.0 cdn.llogetfastcach.us

  20 out of 36 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 10/21/2016 12:03:31 AM
Execution time: 0 hours(s), 0 minute(s), and 56 seconds(s)

[Eddy]

Do not copy/paste logs, but attach them.

Please do nothing for now and wait for one of the listed malware removers to guide you.

[REDACTED]

Ooops ,,sure mr president
and sorry

[Michael (alan1998)]

My understanding (if the MBAM scan is right, I haven't looked at FRST), that's going to be very difficult to handle.

And even if they get "everything", they can't guarantee it. MBAM seems to think you have a rootkit called ZeroAccess (Sirefef)

http://www.microsoft.com/security/portal/threat/Encyclopedia/entry.aspx?Name=Win32%2FSirefef

wait for help though. Please attach all those MBAM logs whilst you wait please.

Edit: Fractured wrists + typing = sucky typing.

C:\Users\Saybolt\AppData\Local\Temp\catchme.sys

Find that, and upload it to www.virustotal.com please. If it asks you to view an ld scan, or scan again, scan it again. Post the results here please.

[dbrisendine]

The HOST file entries are from Unchecky.  I would advise that the installing new tools / programs ends until the system is fixed / cleaned.

Why was ComboFix run on this system recently?  Were you getting support from a different source?  If so, you need to stick with them.

Download CKScanner from here

Important : Save it to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
  
• After a very short time, when the cursor hourglass disappears, click Save List To File.
  
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.