vitaum88 Posted February 16, 2019 ID:1299004 Share Posted February 16, 2019 Hello all, Earlier today I mistakenly installed some unknown piece of software which resulted in the infection of several Trojan and Adware files on my PC. The files were being generated everywhere, in random folders with random names upon startup and chrome would be opening new tabs indefinitely. By using Malwarebytes without internet connection it seemed that I had managed to fix this issue. The logs were coming with zero threats. However, when browsing YouTube and other sites via Chrome I seemed to get some unfamiliar behavior/ads. I checked my extensions and removed one I did not recognize (chrome_filter). Then I noticed two things: my Google page was "google.ga" (from Gabon), and when I actually searched for anything the address bar would change to my-search.com/"whatever term I searched her". Thus, I tried to reinstall chrome using MS Edge. On edge I'm getting some ads with "Aura" written on their bottom (which I searched online and seems to be malware-related) and I'm also getting Google.ga in there, but no "my-search" redirection. There are some empty popups that appear which I blocked. I tried reinstalling chrome anyway and I got an error saying that the chrome installer couldn't connect to Google's network and suggested I checked my firewalls. Finally, I've just run Malwarebytes again with Rootkit and inside archives options turned on and I got the attached log - I quarantined the 4 infected files. I'm also attaching FRTS log with the "addition.txt" file. Any help? Thanks in advance log.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 17, 2019 ID:1299096 Share Posted February 17, 2019 Hello and welcome. Please follow these guidelines while we work on your PC: Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so. Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. - - - Right click on the FRST icon and select Run as administrator Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below Start:: CreateRestorePoint: CloseProcesses: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S4 OWM3ZTM3ZTY2OG; "C:\Program Files\OWM3ZTM3ZTY2OG\NWE0NzZmOD.exe" [X] 2019-02-16 10:26 - 2019-02-16 10:26 - 000000000 ____D C:\ProgramData\{B21E3CD3-4641-2612-395B-91AA39BCC8FB} 2019-02-16 10:26 - 2019-02-16 10:26 - 000000000 ____D C:\ProgramData\{991D3439-4EAB-0D11-D353-9281D3B4CBD0} 2019-02-16 10:24 - 2019-02-16 15:58 - 000000000 ____D C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3} C:\Windows\Temp\*.* C:\Users\CurrentUserName\AppData\Local\Temp\*.* End:: NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Click Fix When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply. How the computer is running now? Link to post Share on other sites More sharing options...
vitaum88 Posted February 17, 2019 Author ID:1299101 Share Posted February 17, 2019 Hello Murphy, Good morning! Thanks for your reply. Find attached the Fixlog.txt file. What are the next steps? Fixlog.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 17, 2019 ID:1299103 Share Posted February 17, 2019 Download AdwCleaner and move it to your Desktop. Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users). Accept the EULA (I accept), then click on Scan. Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. Once the cleaning process is complete, AdwCleaner will ask to restart your computer, please do so. After the restart, a log will open when logging in. Please copy and paste the contents of that log into your next reply. Link to post Share on other sites More sharing options...
vitaum88 Posted February 17, 2019 Author ID:1299109 Share Posted February 17, 2019 Hi friend, Here we go? # ------------------------------- # Malwarebytes AdwCleaner 7.2.7.0 # ------------------------------- # Build: 01-30-2019 # Database: 2019-02-15.6 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 02-17-2019 # Duration: 00:00:04 # OS: Windows 10 Home Single Language # Cleaned: 16 # Failed: 2 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** Deleted C:\Program Files (x86)\OSTotoSoft ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** Deleted C:\Windows\Tasks\BKUSGEDCEFICVBDOSLJ.JOB Deleted C:\Windows\Tasks\BKUHAOSJCXQPTTPNWUU.JOB Deleted C:\Windows\System32\Tasks\BKUSGEDCEFICVBDOSLJ Deleted C:\Windows\System32\Tasks\BKUHAOSJCXQPTTPNWUU ***** [ Registry ] ***** Deleted HKLM\System\CurrentControlSet\Services\EventLog\Application\EventSvc Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9AC66348-1D98-4E4B-904A-3130532A985B} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9AC66348-1D98-4E4B-904A-3130532A985B} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkusGeDCEFIcvBdOSlJ Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1A998079-7B99-4A48-9A32-79173B014453} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A998079-7B99-4A48-9A32-79173B014453} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkuhAoSJcXQpTtpNWuU Deleted HKCU\Software\OSTotoSoft Deleted HKLM\Software\Wow6432Node\OSTotoSoft Deleted HKCU\Software\OneSystemCare Deleted HKCU\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d} ***** [ Chromium (and derivatives) ] ***** Not Deleted Managera Not Deleted Extutil ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [3794 octets] - [04/05/2018 16:58:52] AdwCleaner[C00].txt - [3623 octets] - [04/05/2018 16:59:43] AdwCleaner[S01].txt - [2946 octets] - [17/02/2019 13:43:51] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ########## I see 2 lines on chrome weren`t fixed. haha Any more steps? Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 17, 2019 ID:1299111 Share Posted February 17, 2019 Please do this and let me know how it is running: - - - Right click on the FRST icon and select Run as administrator Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below Start:: CreateRestorePoint: CloseProcesses: 2019-02-16 10:24 - 2019-02-16 15:58 - 000000000 ____D C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3} CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B0-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B1-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File ContextMenuHandlers1: [BB FlashBack 2] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} => -> No File ContextMenuHandlers1: [QuickShare] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} => -> No File ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File Task: {1A998079-7B99-4A48-9A32-79173B014453} - System32\Tasks\bkuhAoSJcXQpTtpNWuU => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exe Task: {80891717-F5B0-4ABB-B528-02CD33D63ED4} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {9AC66348-1D98-4E4B-904A-3130532A985B} - System32\Tasks\bkusGeDCEFIcvBdOSlJ => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exe Task: {D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA} - \goloader1 -> No File <==== ATTENTION Task: C:\WINDOWS\Tasks\bkuhAoSJcXQpTtpNWuU.job => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exed/comm we /adp YNLR9YNLR5UMLR1APLR6KOLR9GOLR0NNLR6SNLR0SNLR2XMLR2YOLR3RNLR6JOLR4ZNLR4UOLR2WOLR6ZNLR2 C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvBLAPTOPVICTOR\victor.avd Task: C:\WINDOWS\Tasks\bkusGeDCEFIcvBdOSlJ.job => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exed/comm we /adp YMLR0QNLR6EPLR7APLR2DNLR4MNLR9UNLR6LNLR3DPLR7WOLR9DNLR3SNLR8WNLR4BNLR2JOLR3RNLR8ONLR4 C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpathLAPTOPVICTOR\victor.avd VirusTotal: C:\Users\victor.avd FirewallRules: [UDP Query User{EA456565-E953-46D9-96CD-D23B9FAC3152}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File FirewallRules: [TCP Query User{07DE9FC4-5E5A-4655-9D92-A251ED9804C6}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File FirewallRules: [UDP Query User{5FF5AD42-939A-45DA-86EC-80F4B49831E0}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [TCP Query User{019538BE-A126-4B75-A9FB-DC371C4666F8}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [UDP Query User{4CD4645C-9D96-4BB8-84CF-5C4258B25E1A}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [TCP Query User{7B479F83-2CE4-4CEB-B25F-4FD8139271CC}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [{63D34267-4874-4C04-8715-3C7C71A7059E}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{D5C919B1-DD4E-4095-A3BD-027838F7F71D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{BDA0E642-4672-410B-8371-48D693DB79A8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{EFAB59CB-916E-46B4-9C2A-BCC8AD72A85C}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{06ACD42F-9DCA-4E38-A8C2-EFC7B635C648}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{7F8A8F64-311D-4DD0-BB70-C2949DC6C37D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{B73ECC35-4CBE-43CA-B52C-8FBFC7125AAF}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{2A3197A4-32EB-4C20-B4CD-29B2637BC18D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{7189BB17-7687-48EA-B554-0AF84B9C0AE1}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{B7305920-6EBE-4C59-B31A-3B882EF3AE22}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{4674792F-3556-4CC9-A385-3DBD14D61E0D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{6878256F-D676-4484-8945-E334C89B3995}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{ADDD66D9-DB90-4486-8334-794E05E89FB8}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{36E45D9D-B42C-4EE0-9159-242BF95B87EE}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{922CB223-7EBD-433E-A21C-5EBD7EFC37E8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{8B564AAC-FA5A-4718-9D27-BA5B70B4F0B7}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File FirewallRules: [{66D6460D-BCE6-4A45-92A5-CF3FC2747CF1}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File FirewallRules: [{24A24EC5-5B1E-454F-B6AF-1D6615E98743}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{5EE35ED8-E215-4805-A3E3-AEE173DC5FEC}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{E241F745-19E0-40ED-AC45-C64F72C750E6}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{8F8F8B93-7BBD-4F5D-AAAC-7C31E510460D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{36A13E40-46A8-4BC4-B5BB-3482B39989A2}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [UDP Query User{F6B030F4-F9D7-4387-A879-0405F41C9A7A}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File FirewallRules: [TCP Query User{831645EB-0329-4598-BCA4-9CE5B66B8842}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File FirewallRules: [{2BC13282-4776-4190-AB51-AF0C3253DE16}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{04887266-C004-437E-B459-F9222B03A739}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{BB559364-178B-45D9-8CC4-11F75016490A}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{A83C1F77-79F8-42DB-BEB6-3D076A9B861F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{6560914F-F048-4C98-BA16-1E936B357C98}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File FirewallRules: [{C7543C50-5037-4185-9A57-D035EF908A2E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File FirewallRules: [{A32C0716-3C5C-4EDA-8F75-D519C9C4598F}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File FirewallRules: [{B2E143F2-F8A4-40A1-8C69-0BA09AEB0F59}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File FirewallRules: [{8A2C36C0-A151-4A7D-9F71-6471CD22DA57}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File FirewallRules: [{C193B8B8-B1CD-4CA4-BDE0-130D6B248242}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File FirewallRules: [{3A8A38D5-72FF-4078-A8B9-5D19A87663DA}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File FirewallRules: [{1D5BE10F-19BB-44C8-8441-2C5C233E7348}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File FirewallRules: [{AFCDDF1C-D2E5-4791-B563-2E94819C2CE1}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File FirewallRules: [{35E64F80-55EA-4BE9-B0B7-2012EF3E487E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File FirewallRules: [{4ABDC258-E1CB-4899-9F39-DE755B8CDC3F}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File FirewallRules: [{F370076F-2951-4158-93EA-7B5A763FCB47}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File FirewallRules: [{E57B439B-BC76-4041-8BF6-75D2F6D233A6}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File FirewallRules: [{0D5FF9FD-F978-4457-928E-11C2F83E2C62}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File FirewallRules: [{4F219C29-AED5-405C-AEFB-D088C412D89C}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File FirewallRules: [{051288DA-A1B3-45F0-9DD5-8B566E9A71D8}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File FirewallRules: [{8EC2E6A3-67D0-46DC-B47D-73A5FA7CA9EC}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File FirewallRules: [{E9EBEB30-53DB-43EE-BE98-8CC06C44CF93}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File FirewallRules: [{2914E838-2CAD-448E-93FB-9D1DDA75F37C}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{85FDC0DC-C090-4F85-AEEB-18162F7565D2}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{F9AA6261-9104-4B75-87BA-F2957A054EAB}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File FirewallRules: [{2F333577-E3AA-46BD-BF0D-B4C1D56DBC0B}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File FirewallRules: [TCP Query User{056DD655-47AC-4E3D-ACEC-FCA0CAC4EB43}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File FirewallRules: [UDP Query User{BB246DED-9D6D-495F-967B-533C38E2F032}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File FirewallRules: [{B869FD31-D289-4DA9-8C80-97256646F9F5}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{2D22DE02-C41D-4655-A277-8B2D65621BA7}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{73B3127F-74F4-40F3-8904-2C47F2585CAA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [{CC70935D-EB57-4A59-AF57-BD800DC2B458}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [{E4349180-BD0D-465F-A4E4-ABF292A34538}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [{4DC2B4AD-AE84-4ED9-B0F3-5AA7B2729090}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File End:: NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Click Fix When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply. Link to post Share on other sites More sharing options...
vitaum88 Posted February 17, 2019 Author ID:1299114 Share Posted February 17, 2019 Hey! Here we go? Fix result of Farbar Recovery Scan Tool (x64) Version: 17.02.2019 Ran by victor.avdias (17-02-2019 14:12:00) Run:2 Running from C:\Users\victor.avdias\Desktop\recovery Loaded Profiles: victor.avdias (Available Profiles: victor.avdias) Boot Mode: Normal ============================================== fixlist content: ***************** CreateRestorePoint: CloseProcesses: 2019-02-16 10:24 - 2019-02-16 15:58 - 000000000 ____D C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3} CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B0-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B1-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File ContextMenuHandlers1: [BB FlashBack 2] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} => -> No File ContextMenuHandlers1: [QuickShare] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} => -> No File ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File Task: {1A998079-7B99-4A48-9A32-79173B014453} - System32\Tasks\bkuhAoSJcXQpTtpNWuU => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exe Task: {80891717-F5B0-4ABB-B528-02CD33D63ED4} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {9AC66348-1D98-4E4B-904A-3130532A985B} - System32\Tasks\bkusGeDCEFIcvBdOSlJ => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exe Task: {D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA} - \goloader1 -> No File <==== ATTENTION Task: C:\WINDOWS\Tasks\bkuhAoSJcXQpTtpNWuU.job => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exed/comm we /adp YNLR9YNLR5UMLR1APLR6KOLR9GOLR0NNLR6SNLR0SNLR2XMLR2YOLR3RNLR6JOLR4ZNLR4UOLR2WOLR6ZNLR2 C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvBLAPTOPVICTOR\victor.avd Task: C:\WINDOWS\Tasks\bkusGeDCEFIcvBdOSlJ.job => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exed/comm we /adp YMLR0QNLR6EPLR7APLR2DNLR4MNLR9UNLR6LNLR3DPLR7WOLR9DNLR3SNLR8WNLR4BNLR2JOLR3RNLR8ONLR4 C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpathLAPTOPVICTOR\victor.avd VirusTotal: C:\Users\victor.avd FirewallRules: [UDP Query User{EA456565-E953-46D9-96CD-D23B9FAC3152}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File FirewallRules: [TCP Query User{07DE9FC4-5E5A-4655-9D92-A251ED9804C6}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File FirewallRules: [UDP Query User{5FF5AD42-939A-45DA-86EC-80F4B49831E0}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [TCP Query User{019538BE-A126-4B75-A9FB-DC371C4666F8}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [UDP Query User{4CD4645C-9D96-4BB8-84CF-5C4258B25E1A}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [TCP Query User{7B479F83-2CE4-4CEB-B25F-4FD8139271CC}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File FirewallRules: [{63D34267-4874-4C04-8715-3C7C71A7059E}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{D5C919B1-DD4E-4095-A3BD-027838F7F71D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{BDA0E642-4672-410B-8371-48D693DB79A8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{EFAB59CB-916E-46B4-9C2A-BCC8AD72A85C}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{06ACD42F-9DCA-4E38-A8C2-EFC7B635C648}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{7F8A8F64-311D-4DD0-BB70-C2949DC6C37D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{B73ECC35-4CBE-43CA-B52C-8FBFC7125AAF}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{2A3197A4-32EB-4C20-B4CD-29B2637BC18D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{7189BB17-7687-48EA-B554-0AF84B9C0AE1}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{B7305920-6EBE-4C59-B31A-3B882EF3AE22}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{4674792F-3556-4CC9-A385-3DBD14D61E0D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{6878256F-D676-4484-8945-E334C89B3995}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{ADDD66D9-DB90-4486-8334-794E05E89FB8}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File FirewallRules: [{36E45D9D-B42C-4EE0-9159-242BF95B87EE}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{922CB223-7EBD-433E-A21C-5EBD7EFC37E8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{8B564AAC-FA5A-4718-9D27-BA5B70B4F0B7}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File FirewallRules: [{66D6460D-BCE6-4A45-92A5-CF3FC2747CF1}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File FirewallRules: [{24A24EC5-5B1E-454F-B6AF-1D6615E98743}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{5EE35ED8-E215-4805-A3E3-AEE173DC5FEC}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{E241F745-19E0-40ED-AC45-C64F72C750E6}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{8F8F8B93-7BBD-4F5D-AAAC-7C31E510460D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [{36A13E40-46A8-4BC4-B5BB-3482B39989A2}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File FirewallRules: [UDP Query User{F6B030F4-F9D7-4387-A879-0405F41C9A7A}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File FirewallRules: [TCP Query User{831645EB-0329-4598-BCA4-9CE5B66B8842}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File FirewallRules: [{2BC13282-4776-4190-AB51-AF0C3253DE16}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{04887266-C004-437E-B459-F9222B03A739}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{BB559364-178B-45D9-8CC4-11F75016490A}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{A83C1F77-79F8-42DB-BEB6-3D076A9B861F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File FirewallRules: [{6560914F-F048-4C98-BA16-1E936B357C98}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File FirewallRules: [{C7543C50-5037-4185-9A57-D035EF908A2E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File FirewallRules: [{A32C0716-3C5C-4EDA-8F75-D519C9C4598F}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File FirewallRules: [{B2E143F2-F8A4-40A1-8C69-0BA09AEB0F59}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File FirewallRules: [{8A2C36C0-A151-4A7D-9F71-6471CD22DA57}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File FirewallRules: [{C193B8B8-B1CD-4CA4-BDE0-130D6B248242}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File FirewallRules: [{3A8A38D5-72FF-4078-A8B9-5D19A87663DA}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File FirewallRules: [{1D5BE10F-19BB-44C8-8441-2C5C233E7348}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File FirewallRules: [{AFCDDF1C-D2E5-4791-B563-2E94819C2CE1}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File FirewallRules: [{35E64F80-55EA-4BE9-B0B7-2012EF3E487E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File FirewallRules: [{4ABDC258-E1CB-4899-9F39-DE755B8CDC3F}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File FirewallRules: [{F370076F-2951-4158-93EA-7B5A763FCB47}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File FirewallRules: [{E57B439B-BC76-4041-8BF6-75D2F6D233A6}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File FirewallRules: [{0D5FF9FD-F978-4457-928E-11C2F83E2C62}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File FirewallRules: [{4F219C29-AED5-405C-AEFB-D088C412D89C}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File FirewallRules: [{051288DA-A1B3-45F0-9DD5-8B566E9A71D8}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File FirewallRules: [{8EC2E6A3-67D0-46DC-B47D-73A5FA7CA9EC}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File FirewallRules: [{E9EBEB30-53DB-43EE-BE98-8CC06C44CF93}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File FirewallRules: [{2914E838-2CAD-448E-93FB-9D1DDA75F37C}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{85FDC0DC-C090-4F85-AEEB-18162F7565D2}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{F9AA6261-9104-4B75-87BA-F2957A054EAB}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File FirewallRules: [{2F333577-E3AA-46BD-BF0D-B4C1D56DBC0B}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File FirewallRules: [TCP Query User{056DD655-47AC-4E3D-ACEC-FCA0CAC4EB43}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File FirewallRules: [UDP Query User{BB246DED-9D6D-495F-967B-533C38E2F032}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File FirewallRules: [{B869FD31-D289-4DA9-8C80-97256646F9F5}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{2D22DE02-C41D-4655-A277-8B2D65621BA7}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File FirewallRules: [{73B3127F-74F4-40F3-8904-2C47F2585CAA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [{CC70935D-EB57-4A59-AF57-BD800DC2B458}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [{E4349180-BD0D-465F-A4E4-ABF292A34538}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [{4DC2B4AD-AE84-4ED9-B0F3-5AA7B2729090}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File ***************** Restore point was successfully created. Processes closed successfully. "C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3}" => not found HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B0-F1D4349F0000} => removed successfully HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B1-F1D4349F0000} => removed successfully HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BB FlashBack 2 => removed successfully HKLM\Software\Classes\CLSID\{A8065B9E-193F-4797-B62D-8F6321E7FCCB} => not found HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\QuickShare => removed successfully HKLM\Software\Classes\CLSID\{A8065B9E-193F-4797-B62D-8F6321E7FCCB} => not found HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\PowerISO => removed successfully HKLM\Software\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => not found HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO => removed successfully HKLM\Software\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A998079-7B99-4A48-9A32-79173B014453}" => not found "C:\WINDOWS\System32\Tasks\bkuhAoSJcXQpTtpNWuU" => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkuhAoSJcXQpTtpNWuU" => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{80891717-F5B0-4ABB-B528-02CD33D63ED4}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80891717-F5B0-4ABB-B528-02CD33D63ED4}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9AC66348-1D98-4E4B-904A-3130532A985B}" => not found "C:\WINDOWS\System32\Tasks\bkusGeDCEFIcvBdOSlJ" => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkusGeDCEFIcvBdOSlJ" => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\goloader1" => removed successfully "C:\WINDOWS\Tasks\bkuhAoSJcXQpTtpNWuU.job" => not found "C:\WINDOWS\Tasks\bkusGeDCEFIcvBdOSlJ.job" => not found "VirusTotal: C:\Users\victor.avd" => not found "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{EA456565-E953-46D9-96CD-D23B9FAC3152}D:\gcantixit\gclauncher.new.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{07DE9FC4-5E5A-4655-9D92-A251ED9804C6}D:\gcantixit\gclauncher.new.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{5FF5AD42-939A-45DA-86EC-80F4B49831E0}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{019538BE-A126-4B75-A9FB-DC371C4666F8}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{4CD4645C-9D96-4BB8-84CF-5C4258B25E1A}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{7B479F83-2CE4-4CEB-B25F-4FD8139271CC}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{63D34267-4874-4C04-8715-3C7C71A7059E}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D5C919B1-DD4E-4095-A3BD-027838F7F71D}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BDA0E642-4672-410B-8371-48D693DB79A8}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EFAB59CB-916E-46B4-9C2A-BCC8AD72A85C}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{06ACD42F-9DCA-4E38-A8C2-EFC7B635C648}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7F8A8F64-311D-4DD0-BB70-C2949DC6C37D}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B73ECC35-4CBE-43CA-B52C-8FBFC7125AAF}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2A3197A4-32EB-4C20-B4CD-29B2637BC18D}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7189BB17-7687-48EA-B554-0AF84B9C0AE1}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B7305920-6EBE-4C59-B31A-3B882EF3AE22}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4674792F-3556-4CC9-A385-3DBD14D61E0D}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6878256F-D676-4484-8945-E334C89B3995}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{ADDD66D9-DB90-4486-8334-794E05E89FB8}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{36E45D9D-B42C-4EE0-9159-242BF95B87EE}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{922CB223-7EBD-433E-A21C-5EBD7EFC37E8}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8B564AAC-FA5A-4718-9D27-BA5B70B4F0B7}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{66D6460D-BCE6-4A45-92A5-CF3FC2747CF1}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{24A24EC5-5B1E-454F-B6AF-1D6615E98743}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5EE35ED8-E215-4805-A3E3-AEE173DC5FEC}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E241F745-19E0-40ED-AC45-C64F72C750E6}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8F8F8B93-7BBD-4F5D-AAAC-7C31E510460D}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{36A13E40-46A8-4BC4-B5BB-3482B39989A2}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F6B030F4-F9D7-4387-A879-0405F41C9A7A}D:\program files (x86)\electronic arts\dead space\dead space.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{831645EB-0329-4598-BCA4-9CE5B66B8842}D:\program files (x86)\electronic arts\dead space\dead space.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2BC13282-4776-4190-AB51-AF0C3253DE16}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{04887266-C004-437E-B459-F9222B03A739}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BB559364-178B-45D9-8CC4-11F75016490A}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A83C1F77-79F8-42DB-BEB6-3D076A9B861F}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6560914F-F048-4C98-BA16-1E936B357C98}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C7543C50-5037-4185-9A57-D035EF908A2E}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A32C0716-3C5C-4EDA-8F75-D519C9C4598F}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B2E143F2-F8A4-40A1-8C69-0BA09AEB0F59}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8A2C36C0-A151-4A7D-9F71-6471CD22DA57}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C193B8B8-B1CD-4CA4-BDE0-130D6B248242}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3A8A38D5-72FF-4078-A8B9-5D19A87663DA}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1D5BE10F-19BB-44C8-8441-2C5C233E7348}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AFCDDF1C-D2E5-4791-B563-2E94819C2CE1}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{35E64F80-55EA-4BE9-B0B7-2012EF3E487E}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4ABDC258-E1CB-4899-9F39-DE755B8CDC3F}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F370076F-2951-4158-93EA-7B5A763FCB47}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E57B439B-BC76-4041-8BF6-75D2F6D233A6}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0D5FF9FD-F978-4457-928E-11C2F83E2C62}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4F219C29-AED5-405C-AEFB-D088C412D89C}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{051288DA-A1B3-45F0-9DD5-8B566E9A71D8}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8EC2E6A3-67D0-46DC-B47D-73A5FA7CA9EC}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E9EBEB30-53DB-43EE-BE98-8CC06C44CF93}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2914E838-2CAD-448E-93FB-9D1DDA75F37C}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{85FDC0DC-C090-4F85-AEEB-18162F7565D2}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F9AA6261-9104-4B75-87BA-F2957A054EAB}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2F333577-E3AA-46BD-BF0D-B4C1D56DBC0B}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{056DD655-47AC-4E3D-ACEC-FCA0CAC4EB43}C:\program files\java\jre1.8.0_45\bin\javaw.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{BB246DED-9D6D-495F-967B-533C38E2F032}C:\program files\java\jre1.8.0_45\bin\javaw.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B869FD31-D289-4DA9-8C80-97256646F9F5}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2D22DE02-C41D-4655-A277-8B2D65621BA7}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{73B3127F-74F4-40F3-8904-2C47F2585CAA}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CC70935D-EB57-4A59-AF57-BD800DC2B458}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E4349180-BD0D-465F-A4E4-ABF292A34538}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4DC2B4AD-AE84-4ED9-B0F3-5AA7B2729090}" => removed successfully The system needed a reboot. ==== End of Fixlog 14:13:11 ==== Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 17, 2019 ID:1299127 Share Posted February 17, 2019 How is it running now? Are you still having issues? Link to post Share on other sites More sharing options...
vitaum88 Posted February 17, 2019 Author ID:1299129 Share Posted February 17, 2019 Hey Murphy, Thanks for your help. Unfortunately, I'm still having some issues. I'm providing a few screen captures (attached) so you can see what I mean. Google redirection -> I typed "test search". Firstly the address bar tried to reach out to Google.com.br (Brazilian domain for Google) correctly, because I live here in Brazil. But when the page finally ran, the result came in Google.ga (Gabon, a totally different country in another continent, in Africa). - files google brasil and google gabon Upon visiting YouTube, for example, you can see that first it loads the "correct" advertisers on top (such as Coca-Cola's promo video). Then after a few seconds it refreshes and delivers those stupid ads (Viagra ads, scam sites for "easy money online", and the "Aura Ad" banner on the top-right corner). - files normal yt ads and dumb yt ads I try to download Chrome off of regular Google, but It keeps redirecting me to the Gabon website. And finally, upon running the installer, it says it could not connect to the internet. - files chrome installer and chrome download I do have Avira installed, but even after clicking it the interface won't open... This makes me wonder if there is some routing virus that I'm experiencing... Something that won't let me reach certain DNS or webpages, or deny access to my anti-virus software. Also the ad delivery is just blatant wrong. No matter what pages I open or websites I visit, I only get Viagra and the R$1900,00 / week scam website. Did you get the whole picture now? Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 17, 2019 ID:1299130 Share Posted February 17, 2019 Please run another scan with FRST and post the log for me. Link to post Share on other sites More sharing options...
vitaum88 Posted February 17, 2019 Author ID:1299131 Share Posted February 17, 2019 Attached both logs! Addition.txt FRST.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 17, 2019 ID:1299141 Share Posted February 17, 2019 Please do thiis, then run another scan with Malwarebytes and post both logs for me: - - - Right click on the FRST icon and select Run as administrator Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below Link to post Share on other sites More sharing options...
vitaum88 Posted February 17, 2019 Author ID:1299142 Share Posted February 17, 2019 Hey Murphy, I don't see the code box with the code. Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 18, 2019 ID:1299147 Share Posted February 18, 2019 Sorry, I'm having grief with the forum software. Download the attached file to the same location as FRST, then press fix. fixlist.txt Link to post Share on other sites More sharing options...
vitaum88 Posted February 18, 2019 Author ID:1299152 Share Posted February 18, 2019 Hey Adding the fixlog. Gotta have dinner and will leave the Malwarebytes running. Ill attach it ASAP Fixlog.txt Link to post Share on other sites More sharing options...
vitaum88 Posted February 18, 2019 Author ID:1299161 Share Posted February 18, 2019 here you go! newlog.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 18, 2019 ID:1299175 Share Posted February 18, 2019 You have some suspicious extensions in Chrome that came in roughly the same time as your malware: CHR Extension: (Chrome Media Router) - C:\Users\victor.avdias\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-02-16] CHR Extension: (chrome_filter) - C:\Users\victor.avdias\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\ckbjifmmloleglbpjjafmaohbgachggj [2019-02-16] Please follow the instructions in this link: https://support.google.com/chrome/answer/2765944?co=GENIE.Platform%3DDesktop&hl=en to Remove unwanted ads, pop-ups & malware and Reset your browser settings in Chrome. Once that's done, please let me know if you still have issues. Link to post Share on other sites More sharing options...
vitaum88 Posted February 18, 2019 Author ID:1299223 Share Posted February 18, 2019 Hello Murphy, It seems the last step solved my issue. I've managed to install chrome, I don't see stupid advertisement and there's no redirect to google.ga. Also, upon checking my chrome extensions, these 2 are not there. Would you say the issue is solved? Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 18, 2019 ID:1299246 Share Posted February 18, 2019 That's good to hear, but I'd like you to run one more scan just to be sure we have everything: Download ESET Online Scanner and save it to your desktop. Right-click on esetonlinescanner_enu.exe and select Run as Administrator. Click on Get Started. Another window will appear - select Get Started. Select whether you would like to send anonymous data to ESET. Click on the Full Scan option. Click on the option to Enable ESET to detect and remove potentially unwanted applications, and select Start scan. ESET will now begin scanning your computer. This may take some time. When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop with a name like ESETlog.txt. Click on Continue. ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue. On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback. On your desktop, a file will be created called ESETlog.txt. Open it, then copy and paste its contents into your next reply. Link to post Share on other sites More sharing options...
vitaum88 Posted February 18, 2019 Author ID:1299295 Share Posted February 18, 2019 Hey Murphy, you're right. Upon searching anything on google, even though the domain is fine (google.com.br), I get some crazy trackers on the URL. Running a TEST SEARCH again, I get the following line on the address bar: https://www.google.com/search?q=test+search&rlz=1C1SQJL_pt-BRBR836BR836&oq=test+search&aqs=chrome.0.69i59j0l5.1648j0j7&sourceid=chrome&ie=UTF-8 From what I've researched, it seems that these are search trackers (the oq=, aqs=, etc) I did the browser clean up as requested on the link you provided (google official support link), but chrome wasn't able to run the malware search routine (check attachment). Link to post Share on other sites More sharing options...
vitaum88 Posted February 18, 2019 Author ID:1299297 Share Posted February 18, 2019 I'm currently running ESET scan. Will post results asap. Link to post Share on other sites More sharing options...
vitaum88 Posted February 19, 2019 Author ID:1299367 Share Posted February 19, 2019 hey murphy after almost 9 hours scanning, here is the log (i personally thought it would include the name of the files that were cleaned...): 19/02/2019 01:20:05 Files scanned: 882495 Infected files: 3 Cleaned threats: 3 Total scan time 08:24:40 Scan status: Finished Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 19, 2019 ID:1299454 Share Posted February 19, 2019 Please run another FRST scan for me and post those results. Link to post Share on other sites More sharing options...
vitaum88 Posted February 23, 2019 Author ID:1300203 Share Posted February 23, 2019 Murphy, Sorry for the late reply. I was out of town for the week. Find attached both logs! Addition.txt FRST.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 23, 2019 ID:1300233 Share Posted February 23, 2019 Welcome back. While I go through those, please let me know which issues you are still having with your computer. Link to post Share on other sites More sharing options...
Recommended Posts