help with a hacker

[Anna222]

Hello!
i installed Avast yesterday and started to get this :



this ip 89.39.105.12 is from Netherlands and im in middle east

today someone made purchases via my paypal account and all the websites including this always try redirect me to some weird sites.
i went to the link with what i need to post here and even this site if i press anywhere on it, trying to redirect me to sex and other crap sites
please help me out!

[Michael (alan1998)]

Hello Anna,

First off, I will fetch Sass Drake for you. However, I must warn you, you have a lot of pirated software, movies and additional material. (and the list below is not all you have, I might add).

Code: [Select]

2019-09-11 12:40 - 2019-09-11 12:40 - 000028840 _____ C:\Users\Anna\Downloads\GreedFall-HOODLUM.torrent
2019-09-09 18:10 - 2019-09-09 18:10 - 000026296 _____ C:\Users\Anna\Downloads\שאלון שביעות רצון מקורס מקוון בשפה האנגלית (תגובות).xlsx
2019-09-09 17:28 - 2019-09-09 17:28 - 009408290 _____ C:\Users\Anna\Downloads\איפיון גירסה ראשונה (1) (1).pptx
2019-09-09 17:27 - 2019-09-09 17:27 - 009408290 _____ C:\Users\Anna\Downloads\איפיון גירסה ראשונה (1).pptx
2019-09-09 17:00 - 2019-09-09 17:00 - 000054723 _____ C:\Users\Anna\Downloads\הכנת קובץ נתונים לניתוח.pptx
2019-09-09 16:49 - 2019-09-09 18:07 - 001658712 _____ C:\Users\Anna\Desktop\חווית הלמידה של סטודנטים לתואר ראשון עם (1).pptx
2019-09-09 15:16 - 2019-09-09 15:16 - 001618397 _____ C:\Users\Anna\Downloads\חווית הלמידה של סטודנטים לתואר ראשון עם.pptx
2019-09-02 16:56 - 2019-09-02 16:56 - 000045785 _____ C:\Users\Anna\Desktop\Glowing Keys Vanilla-62-1-0-1555108318.zip
2019-09-02 16:49 - 2019-09-02 16:49 - 000001873 _____ C:\Users\Anna\Downloads\Enderal Fast Travel EV-5-2-0-1551101198.7z
2019-09-02 16:32 - 2019-09-02 16:32 - 004412498 _____ C:\Users\Anna\Downloads\המדריך לגידול גורי חתולים.zip
2019-09-02 16:27 - 2019-09-02 16:27 - 000390137 _____ C:\Users\Anna\Downloads\story.swf
2019-09-01 03:15 - 2019-09-01 03:15 - 001320651 _____ C:\Users\Anna\Desktop\איפיון גירסה ראשונה.pptx
2019-09-01 03:15 - 2019-09-01 03:15 - 000000000 ____D C:\Users\Anna\Documents\Custom Office Templates
2019-09-01 03:14 - 2019-09-01 03:14 - 001320901 _____ C:\Users\Anna\Downloads\איפיון גירסה ראשונה.pptx
2019-08-28 15:37 - 2019-09-02 16:55 - 000000000 ____D C:\Users\Anna\AppData\Local\enderal
2019-08-28 15:13 - 2019-08-28 15:13 - 000000207 _____ C:\Users\Anna\Desktop\Enderal Forgotten Stories.url
2019-08-24 20:51 - 2019-08-24 20:51 - 000030047 _____ C:\Users\Anna\Downloads\Shazam.2019.1080p.BluRay.x264-SPARKS.torrent
2019-08-24 20:47 - 2019-08-24 20:47 - 000033246 _____ C:\Users\Anna\Downloads\Batman.vs.Teenage.Mutant.Ninja.Turtles.2019.1080p.BluRay.x264-GHOULS.torrent
2019-08-17 23:09 - 2019-08-17 23:09 - 000001313 _____ C:\Users\Anna\Downloads\03-Google-Fonts.zip
2019-08-17 22:39 - 2019-08-17 22:39 - 000001129 _____ C:\Users\Anna\Downloads\01-Fonts-Intro.zip
2019-08-17 21:43 - 2019-08-17 21:43 - 000003902 _____ C:\Users\Anna\Downloads\09-Selector-Exercise-Starter.zip
2019-08-17 17:28 - 2019-08-17 23:09 - 000000000 ____D C:\Users\Anna\Desktop\WEB COURSE
2019-08-17 17:26 - 2019-08-17 17:26 - 000000696 _____ C:\Users\Anna\Downloads\03.zip

I also noted in your logs that you ran TDSS from Kaspersky. You have a log file on your root drive (C:\) called TDSSKiller.2.8.16.0_12.09.2019_03.07.02_log.txt. Please attach it here.

C:\Users\Anna\Downloads\rodo9wsc.exe
C:\Users\Anna\Downloads\kyqu25gp.exe

Those appear to be the same file - Is this additional software you downloaded to remove the infections? If so, did you run it? If so, attach those logs as well (along with the actual name of the program. I know GMER used random file names).

Attach this file as well == > C:\Users\Anna\Desktop\SCAN.txt

Lastly, I noted the avast download - (From Sept 11, 2019) C:\Users\Anna\Downloads\avast! Internet Security 2019 v19.6.2383 Build 19.6.4546.0.rar

Avast! IS is now under Premium security. This, combined with the odd location of your Avast License (C:\Users\Anna\Desktop\14-12-2023_IS_-_2020PR.avastlic), might also be pirated software? Additionally, Avast! has an official installer, which to my knowledge comes exclusively in an EXE format. Did you torrent Avast! as well?

Please be truthful in answering those questions. Torrenting is illegal, and (as you've discovered) extraordinarily risky.

Regards,
Michael

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HKU\S-1-5-21-467774877-1077751928-1219071558-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
2019-09-11 20:59 - 2019-09-12 03:18 - 000000004 _____ () C:\ProgramData\lock.dat
2018-09-24 17:08 - 2018-09-24 17:08 - 000000317 _____ () C:\ProgramData\Retss.exe
2019-09-11 20:59 - 2019-09-11 20:59 - 000000008 _____ () C:\ProgramData\ts.dat
2018-01-11 12:14 - 2018-06-09 20:21 - 000000033 _____ () C:\Users\Anna\AppData\Roaming\AdobeWLCMCache.dat
2017-12-26 15:28 - 2017-12-26 15:34 - 000000663 _____ () C:\Users\Anna\AppData\Roaming\Contact Sheet II.xml
2017-12-26 15:28 - 2017-12-26 15:35 - 000019054 _____ () C:\Users\Anna\AppData\Roaming\ContactSheetII.log
2017-12-07 17:22 - 2019-07-27 17:42 - 000007623 _____ () C:\Users\Anna\AppData\Local\Resmon.ResmonCfg
2016-11-29 03:59 - 2016-11-23 15:19 - 000000570 _____ () C:\Users\Anna\AppData\Local\TroubleshooterConfig.json
EmptyTemp:

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[Anna222]

i added the files you asked
i cleaned everything with avast - things that avast didnt want to clear, with Malbytes.

[Anna222]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HKU\S-1-5-21-467774877-1077751928-1219071558-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
2019-09-11 20:59 - 2019-09-12 03:18 - 000000004 _____ () C:\ProgramData\lock.dat
2018-09-24 17:08 - 2018-09-24 17:08 - 000000317 _____ () C:\ProgramData\Retss.exe
2019-09-11 20:59 - 2019-09-11 20:59 - 000000008 _____ () C:\ProgramData\ts.dat
2018-01-11 12:14 - 2018-06-09 20:21 - 000000033 _____ () C:\Users\Anna\AppData\Roaming\AdobeWLCMCache.dat
2017-12-26 15:28 - 2017-12-26 15:34 - 000000663 _____ () C:\Users\Anna\AppData\Roaming\Contact Sheet II.xml
2017-12-26 15:28 - 2017-12-26 15:35 - 000019054 _____ () C:\Users\Anna\AppData\Roaming\ContactSheetII.log
2017-12-07 17:22 - 2019-07-27 17:42 - 000007623 _____ () C:\Users\Anna\AppData\Local\Resmon.ResmonCfg
2016-11-29 03:59 - 2016-11-23 15:19 - 000000570 _____ () C:\Users\Anna\AppData\Local\TroubleshooterConfig.json
EmptyTemp:

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

what is this?

[Anna222]

the fixlog as well

[Pondus]

what is this?

@Sass Drake made a fix for your computer based on the FRST logs you attached

so the question now is, did it work is your problem solved?

[Anna222]

what is this?

@Sass Drake made a fix for your computer based on the FRST logs you attached

so the question now is, did it work is your problem solved?

well yes and no.
i keep getting from every page if i press it a msg about this 2 sites that always try to pop up even here on Avast webpage if i press anywhere after page reload

[Pondus]

OK, check back later for more instructions from @Sass Drake

[Sass Drake]

Please post new FRST.txt and Addition.txt.