Jump to content

Infected with f.asdfzxcv1312.com


Recommended Posts

About a week ago, I noticed popups stating that outbound f.asdfzxcv1312.com Malicious website was being detected and blocked by Malwarebytes.  This seemed to start after I downloaded and installed Savefrom.net helper.  I'm hoping that I've understood the reporting methods correctly.  Attached are the FRST and Addition files created by the run of the Farbar Recovery Scan.

Thanks,

Michael Heath

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello and :welcome:

 

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Cleaning.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

Link to post
Share on other sites

It seems to have slowed it down, but not stopped it.

# AdwCleaner v5.201 - Logfile created 25/07/2016 at 12:09:52
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-25.1 [Server]
# Operating system : Windows (TM) Vista Home Premium Service Pack 2 (X64)
# Username : Michael - HOME
# Running from : C:\Users\Michael\Downloads\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[#] Folder Deleted : C:\SearchProtect
[#] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
[#] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HiDefMedia
[#] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VAFPlayer
[#] Folder Deleted : C:\Program Files (x86)\Conduit
[#] Folder Deleted : C:\Program Files (x86)\Coupons
[#] Folder Deleted : C:\Program Files (x86)\HiDefMedia
[#] Folder Deleted : C:\Program Files (x86)\Smartdl
[#] Folder Deleted : C:\Program Files (x86)\tuguu sl
[#] Folder Deleted : C:\Program Files (x86)\Yahoo!\yset
[#] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil
[#] Folder Deleted : C:\Users\Michael\AppData\Local\PackageAware
[#] Folder Deleted : C:\Users\Michael\AppData\Local\YSearchUtil
[#] Folder Deleted : C:\Users\Michael\AppData\Roaming\iWin
[#] Folder Deleted : C:\Users\Michael\AppData\Roaming\Yahoo!\Companion
[#] Folder Deleted : C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\ByteFence
[#] Folder Deleted : C:\Users\Michael\Documents\Flash Player Pro
[#] Folder Deleted : C:\Program Files\DomaIQ Uninstaller

***** [ Files ] *****

[-] File Deleted : C:\Users\Public\Desktop\eBay.lnk
[-] File Deleted : C:\Users\Public\Desktop\HiDef Media Player.lnk
[-] File Deleted : C:\Users\Public\Desktop\Video Downloader.lnk
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
[-] File Deleted : C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\invalidprefs.js

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\s
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{20B9C05C-99C9-4BAB-B596-FB0C0E1C9F55}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key Deleted : HKCU\Software\APN PIP
[-] Key Deleted : HKCU\Software\tuguu sl
[-] Key Deleted : HKCU\Software\Yahoo\Companion
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Toolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\BetterSurf
[-] Key Deleted : HKLM\SOFTWARE\BrowserSafeGuard
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EBE677C0-CBCB-4EBF-8098-E27E1B5271CF}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSafeGuard
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DomaIQ Uninstaller
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! SearchSet
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{EBE677C0-CBCB-4EBF-8098-E27E1B5271CF}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BrowserSafeGuard
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DomaIQ Uninstaller
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! SearchSet
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0C776EBEBCBCFBE408892EE7B12517FC
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0C776EBEBCBCFBE408892EE7B12517FC
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Installer\Products\0C776EBEBCBCFBE408892EE7B12517FC

***** [ Web browsers ] *****

[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("CT3277370_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1374684048680,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("CT3289847.installerVersion", "1.4.2.3");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3277370&octid=CT3277370&SearchSource=61&CUI=UN20452458816574286&UM=2&UP=SP3AFE08A9-8414-4AB4-BC24-F99FEBF8EF3E");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("Smartbar.ConduitSearchEngineList", "InternetHelper3 Customized Web Search");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3277370&SearchSource=2&CUI=UN20452458816574286&UM=2&q=");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3277370");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("browser.search.defaultthis.engineName", "InternetHelper3 Customized Web Search");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("browser.search.selectedEngine", "InternetHelper3 Customized Web Search");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("show.CT3277370", false);
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3277370");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3277370&SearchSource=2&CUI=UN20452458816574286&UM=2&q=");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3277370");
[-] [C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\xhvm5003.default\prefs.js] Deleted : user_pref("smartbar.machineId", "YRR0SQVMDYFY4/NNI7RFUMKBXUNDZH/N0ML9GYBGCHHQAJAEPO05YZ41WLNAAS24WNGACAT3UK/0WE0Y75HXPW");
[-] [C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [8205 bytes] - [25/07/2016 12:09:52]
C:\AdwCleaner\AdwCleaner[S1].txt - [9170 bytes] - [25/07/2016 11:56:06]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [8351 bytes] ##########

 

Link to post
Share on other sites

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition.txt option is checked. option is checked.

    2873ryc.png

  • Press Scan button and wait.

  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.


Please attach report into your next reply.

Link to post
Share on other sites

Please remove Coupon Printer for Windows if you didn't install it.

 

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif


icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

Link to post
Share on other sites

I'd like to clarify a few things before I execute this.  I see the coupon printer dll's in the FRST.txt files, but I don't find them anywhere.  It looks like they are plugins, but I don't find a plugin about coupon printing in either firefox,chrome or IE.  Could they be orphans?  And if so, where are they so I can delete them?  They don't show up in the location that FRST.txt says they're in.

I need to download fixlist.txt and move it to some directory.  Your instructions say that fixlist.txt and FRST should be in the same directory.  Should it be the directory where FRST.txt is?  Or should I move it to the FRST directory?  Or should it be moved to where FRST64.exe is located?

Thanks,

Michael Heath

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.