Jump to content

Recommended Posts

Hello all,

Earlier today I mistakenly installed some unknown piece of software which resulted in the infection of several Trojan and Adware files on my PC. The files were being generated everywhere, in random folders with random names upon startup and chrome would be opening new tabs indefinitely. By using Malwarebytes without internet connection it seemed that I had managed to fix this issue. The logs were coming with zero threats.

However, when browsing YouTube and other sites via Chrome I seemed to get some unfamiliar behavior/ads. I checked my extensions and removed one I did not recognize (chrome_filter). Then I noticed two things: my Google page was "google.ga" (from Gabon), and when I actually searched for anything the address bar would change to my-search.com/"whatever term I searched her". Thus, I tried to reinstall chrome using MS Edge. On edge I'm getting some ads with "Aura" written on their bottom (which I searched online and seems to be malware-related) and I'm also getting Google.ga in there, but no "my-search" redirection. There are some empty popups that appear which I blocked.

I tried reinstalling chrome anyway and I got an error saying that the chrome installer couldn't connect to Google's network and suggested I checked my firewalls.

Finally, I've just run Malwarebytes again with Rootkit and inside archives options turned on and I got the attached log - I quarantined the 4 infected files. I'm also attaching FRTS log with the "addition.txt" file.

Any help?

Thanks in advance

log.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean! 
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

- - -

  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below

Start::
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S4 OWM3ZTM3ZTY2OG; "C:\Program Files\OWM3ZTM3ZTY2OG\NWE0NzZmOD.exe" [X]
2019-02-16 10:26 - 2019-02-16 10:26 - 000000000 ____D C:\ProgramData\{B21E3CD3-4641-2612-395B-91AA39BCC8FB}
2019-02-16 10:26 - 2019-02-16 10:26 - 000000000 ____D C:\ProgramData\{991D3439-4EAB-0D11-D353-9281D3B4CBD0}
2019-02-16 10:24 - 2019-02-16 15:58 - 000000000 ____D C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3}
C:\Windows\Temp\*.*
C:\Users\CurrentUserName\AppData\Local\Temp\*.*
End::


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

How the computer is running now?

Link to post
Share on other sites

Download AdwCleaner and move it to your Desktop.

  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users).
  • Accept the EULA (I accept), then click on Scan.
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button.
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, please do so.
  • After the restart, a log will open when logging in. Please copy and paste the contents of that log into your next reply.

Link to post
Share on other sites

Hi friend,

Here we go?

# -------------------------------
# Malwarebytes AdwCleaner 7.2.7.0
# -------------------------------
# Build:    01-30-2019
# Database: 2019-02-15.6 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    02-17-2019
# Duration: 00:00:04
# OS:       Windows 10 Home Single Language
# Cleaned:  16
# Failed:   2


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\Program Files (x86)\OSTotoSoft

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

Deleted       C:\Windows\Tasks\BKUSGEDCEFICVBDOSLJ.JOB
Deleted       C:\Windows\Tasks\BKUHAOSJCXQPTTPNWUU.JOB
Deleted       C:\Windows\System32\Tasks\BKUSGEDCEFICVBDOSLJ
Deleted       C:\Windows\System32\Tasks\BKUHAOSJCXQPTTPNWUU

***** [ Registry ] *****

Deleted       HKLM\System\CurrentControlSet\Services\EventLog\Application\EventSvc
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9AC66348-1D98-4E4B-904A-3130532A985B} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9AC66348-1D98-4E4B-904A-3130532A985B} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkusGeDCEFIcvBdOSlJ
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1A998079-7B99-4A48-9A32-79173B014453} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A998079-7B99-4A48-9A32-79173B014453} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkuhAoSJcXQpTtpNWuU
Deleted       HKCU\Software\OSTotoSoft
Deleted       HKLM\Software\Wow6432Node\OSTotoSoft
Deleted       HKCU\Software\OneSystemCare
Deleted       HKCU\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}

***** [ Chromium (and derivatives) ] *****

Not Deleted   Managera
Not Deleted   Extutil

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [3794 octets] - [04/05/2018 16:58:52]
AdwCleaner[C00].txt - [3623 octets] - [04/05/2018 16:59:43]
AdwCleaner[S01].txt - [2946 octets] - [17/02/2019 13:43:51]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

I see 2 lines on chrome weren`t fixed. haha

Any more steps?

Link to post
Share on other sites

Please do this and let me know how it is running:
- - -

  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below

Start::
CreateRestorePoint:
CloseProcesses:
2019-02-16 10:24 - 2019-02-16 15:58 - 000000000 ____D C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3}
CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B0-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B1-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File
ContextMenuHandlers1: [BB FlashBack 2] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} =>  -> No File
ContextMenuHandlers1: [QuickShare] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} =>  -> No File
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
Task: {1A998079-7B99-4A48-9A32-79173B014453} - System32\Tasks\bkuhAoSJcXQpTtpNWuU => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exe
Task: {80891717-F5B0-4ABB-B528-02CD33D63ED4} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {9AC66348-1D98-4E4B-904A-3130532A985B} - System32\Tasks\bkusGeDCEFIcvBdOSlJ => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exe
Task: {D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA} - \goloader1 -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\bkuhAoSJcXQpTtpNWuU.job => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exed/comm we /adp YNLR9YNLR5UMLR1APLR6KOLR9GOLR0NNLR6SNLR0SNLR2XMLR2YOLR3RNLR6JOLR4ZNLR4UOLR2WOLR6ZNLR2 C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvBLAPTOPVICTOR\victor.avd
Task: C:\WINDOWS\Tasks\bkusGeDCEFIcvBdOSlJ.job => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exed/comm we /adp YMLR0QNLR6EPLR7APLR2DNLR4MNLR9UNLR6LNLR3DPLR7WOLR9DNLR3SNLR8WNLR4BNLR2JOLR3RNLR8ONLR4 C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpathLAPTOPVICTOR\victor.avd
VirusTotal: C:\Users\victor.avd
FirewallRules: [UDP Query User{EA456565-E953-46D9-96CD-D23B9FAC3152}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File
FirewallRules: [TCP Query User{07DE9FC4-5E5A-4655-9D92-A251ED9804C6}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File
FirewallRules: [UDP Query User{5FF5AD42-939A-45DA-86EC-80F4B49831E0}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [TCP Query User{019538BE-A126-4B75-A9FB-DC371C4666F8}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [UDP Query User{4CD4645C-9D96-4BB8-84CF-5C4258B25E1A}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [TCP Query User{7B479F83-2CE4-4CEB-B25F-4FD8139271CC}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [{63D34267-4874-4C04-8715-3C7C71A7059E}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{D5C919B1-DD4E-4095-A3BD-027838F7F71D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{BDA0E642-4672-410B-8371-48D693DB79A8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{EFAB59CB-916E-46B4-9C2A-BCC8AD72A85C}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{06ACD42F-9DCA-4E38-A8C2-EFC7B635C648}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{7F8A8F64-311D-4DD0-BB70-C2949DC6C37D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{B73ECC35-4CBE-43CA-B52C-8FBFC7125AAF}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{2A3197A4-32EB-4C20-B4CD-29B2637BC18D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{7189BB17-7687-48EA-B554-0AF84B9C0AE1}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{B7305920-6EBE-4C59-B31A-3B882EF3AE22}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{4674792F-3556-4CC9-A385-3DBD14D61E0D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{6878256F-D676-4484-8945-E334C89B3995}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{ADDD66D9-DB90-4486-8334-794E05E89FB8}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{36E45D9D-B42C-4EE0-9159-242BF95B87EE}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{922CB223-7EBD-433E-A21C-5EBD7EFC37E8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{8B564AAC-FA5A-4718-9D27-BA5B70B4F0B7}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File
FirewallRules: [{66D6460D-BCE6-4A45-92A5-CF3FC2747CF1}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File
FirewallRules: [{24A24EC5-5B1E-454F-B6AF-1D6615E98743}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{5EE35ED8-E215-4805-A3E3-AEE173DC5FEC}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{E241F745-19E0-40ED-AC45-C64F72C750E6}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{8F8F8B93-7BBD-4F5D-AAAC-7C31E510460D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{36A13E40-46A8-4BC4-B5BB-3482B39989A2}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [UDP Query User{F6B030F4-F9D7-4387-A879-0405F41C9A7A}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File
FirewallRules: [TCP Query User{831645EB-0329-4598-BCA4-9CE5B66B8842}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File
FirewallRules: [{2BC13282-4776-4190-AB51-AF0C3253DE16}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{04887266-C004-437E-B459-F9222B03A739}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{BB559364-178B-45D9-8CC4-11F75016490A}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{A83C1F77-79F8-42DB-BEB6-3D076A9B861F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{6560914F-F048-4C98-BA16-1E936B357C98}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File
FirewallRules: [{C7543C50-5037-4185-9A57-D035EF908A2E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File
FirewallRules: [{A32C0716-3C5C-4EDA-8F75-D519C9C4598F}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File
FirewallRules: [{B2E143F2-F8A4-40A1-8C69-0BA09AEB0F59}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File
FirewallRules: [{8A2C36C0-A151-4A7D-9F71-6471CD22DA57}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File
FirewallRules: [{C193B8B8-B1CD-4CA4-BDE0-130D6B248242}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File
FirewallRules: [{3A8A38D5-72FF-4078-A8B9-5D19A87663DA}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File
FirewallRules: [{1D5BE10F-19BB-44C8-8441-2C5C233E7348}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File
FirewallRules: [{AFCDDF1C-D2E5-4791-B563-2E94819C2CE1}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File
FirewallRules: [{35E64F80-55EA-4BE9-B0B7-2012EF3E487E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File
FirewallRules: [{4ABDC258-E1CB-4899-9F39-DE755B8CDC3F}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File
FirewallRules: [{F370076F-2951-4158-93EA-7B5A763FCB47}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File
FirewallRules: [{E57B439B-BC76-4041-8BF6-75D2F6D233A6}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File
FirewallRules: [{0D5FF9FD-F978-4457-928E-11C2F83E2C62}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File
FirewallRules: [{4F219C29-AED5-405C-AEFB-D088C412D89C}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File
FirewallRules: [{051288DA-A1B3-45F0-9DD5-8B566E9A71D8}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File
FirewallRules: [{8EC2E6A3-67D0-46DC-B47D-73A5FA7CA9EC}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File
FirewallRules: [{E9EBEB30-53DB-43EE-BE98-8CC06C44CF93}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File
FirewallRules: [{2914E838-2CAD-448E-93FB-9D1DDA75F37C}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{85FDC0DC-C090-4F85-AEEB-18162F7565D2}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{F9AA6261-9104-4B75-87BA-F2957A054EAB}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File
FirewallRules: [{2F333577-E3AA-46BD-BF0D-B4C1D56DBC0B}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File
FirewallRules: [TCP Query User{056DD655-47AC-4E3D-ACEC-FCA0CAC4EB43}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File
FirewallRules: [UDP Query User{BB246DED-9D6D-495F-967B-533C38E2F032}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File
FirewallRules: [{B869FD31-D289-4DA9-8C80-97256646F9F5}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{2D22DE02-C41D-4655-A277-8B2D65621BA7}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{73B3127F-74F4-40F3-8904-2C47F2585CAA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{CC70935D-EB57-4A59-AF57-BD800DC2B458}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{E4349180-BD0D-465F-A4E4-ABF292A34538}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{4DC2B4AD-AE84-4ED9-B0F3-5AA7B2729090}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File
End::


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

Link to post
Share on other sites

Hey!

 

Here we go? 

Fix result of Farbar Recovery Scan Tool (x64) Version: 17.02.2019
Ran by victor.avdias (17-02-2019 14:12:00) Run:2
Running from C:\Users\victor.avdias\Desktop\recovery
Loaded Profiles: victor.avdias (Available Profiles: victor.avdias)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
2019-02-16 10:24 - 2019-02-16 15:58 - 000000000 ____D C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3}
CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B0-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B1-F1D4349F0000}\InprocServer32 -> C:\Users\victor.avdias\AppData\Local\GAS Tecnologia\GBBD\npsf_bb_64.dll => No File
ContextMenuHandlers1: [BB FlashBack 2] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} =>  -> No File
ContextMenuHandlers1: [QuickShare] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} =>  -> No File
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
Task: {1A998079-7B99-4A48-9A32-79173B014453} - System32\Tasks\bkuhAoSJcXQpTtpNWuU => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exe
Task: {80891717-F5B0-4ABB-B528-02CD33D63ED4} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {9AC66348-1D98-4E4B-904A-3130532A985B} - System32\Tasks\bkusGeDCEFIcvBdOSlJ => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exe
Task: {D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA} - \goloader1 -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\bkuhAoSJcXQpTtpNWuU.job => C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvB\oiuwertmnasgbkj.exed/comm we /adp YNLR9YNLR5UMLR1APLR6KOLR9GOLR0NNLR6SNLR0SNLR2XMLR2YOLR3RNLR6JOLR4ZNLR4UOLR2WOLR6ZNLR2 C:\Users\victor.avdias\AppData\Local\Temp\tJyta0VvBLAPTOPVICTOR\victor.avd
Task: C:\WINDOWS\Tasks\bkusGeDCEFIcvBdOSlJ.job => C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpath\oiuwertmnasgbkj.exed/comm we /adp YMLR0QNLR6EPLR7APLR2DNLR4MNLR9UNLR6LNLR3DPLR7WOLR9DNLR3SNLR8WNLR4BNLR2JOLR3RNLR8ONLR4 C:\Users\victor.avdias\AppData\Local\Temp\rqzzelkpathLAPTOPVICTOR\victor.avd
VirusTotal: C:\Users\victor.avd
FirewallRules: [UDP Query User{EA456565-E953-46D9-96CD-D23B9FAC3152}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File
FirewallRules: [TCP Query User{07DE9FC4-5E5A-4655-9D92-A251ED9804C6}D:\gcantixit\gclauncher.new.exe] => (Allow) D:\gcantixit\gclauncher.new.exe No File
FirewallRules: [UDP Query User{5FF5AD42-939A-45DA-86EC-80F4B49831E0}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [TCP Query User{019538BE-A126-4B75-A9FB-DC371C4666F8}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [UDP Query User{4CD4645C-9D96-4BB8-84CF-5C4258B25E1A}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [TCP Query User{7B479F83-2CE4-4CEB-B25F-4FD8139271CC}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe No File
FirewallRules: [{63D34267-4874-4C04-8715-3C7C71A7059E}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{D5C919B1-DD4E-4095-A3BD-027838F7F71D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{BDA0E642-4672-410B-8371-48D693DB79A8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{EFAB59CB-916E-46B4-9C2A-BCC8AD72A85C}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{06ACD42F-9DCA-4E38-A8C2-EFC7B635C648}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{7F8A8F64-311D-4DD0-BB70-C2949DC6C37D}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{B73ECC35-4CBE-43CA-B52C-8FBFC7125AAF}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{2A3197A4-32EB-4C20-B4CD-29B2637BC18D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{7189BB17-7687-48EA-B554-0AF84B9C0AE1}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{B7305920-6EBE-4C59-B31A-3B882EF3AE22}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{4674792F-3556-4CC9-A385-3DBD14D61E0D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{6878256F-D676-4484-8945-E334C89B3995}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{ADDD66D9-DB90-4486-8334-794E05E89FB8}] => (Allow) C:\Program Files (x86)\Connectify\Connectifyd.exe No File
FirewallRules: [{36E45D9D-B42C-4EE0-9159-242BF95B87EE}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{922CB223-7EBD-433E-A21C-5EBD7EFC37E8}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{8B564AAC-FA5A-4718-9D27-BA5B70B4F0B7}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File
FirewallRules: [{66D6460D-BCE6-4A45-92A5-CF3FC2747CF1}] => (Allow) d:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro 2\Apowersoft Screen Recorder Pro 2.exe No File
FirewallRules: [{24A24EC5-5B1E-454F-B6AF-1D6615E98743}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{5EE35ED8-E215-4805-A3E3-AEE173DC5FEC}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{E241F745-19E0-40ED-AC45-C64F72C750E6}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{8F8F8B93-7BBD-4F5D-AAAC-7C31E510460D}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [{36A13E40-46A8-4BC4-B5BB-3482B39989A2}] => (Allow) C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe No File
FirewallRules: [UDP Query User{F6B030F4-F9D7-4387-A879-0405F41C9A7A}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File
FirewallRules: [TCP Query User{831645EB-0329-4598-BCA4-9CE5B66B8842}D:\program files (x86)\electronic arts\dead space\dead space.exe] => (Allow) D:\program files (x86)\electronic arts\dead space\dead space.exe No File
FirewallRules: [{2BC13282-4776-4190-AB51-AF0C3253DE16}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{04887266-C004-437E-B459-F9222B03A739}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{BB559364-178B-45D9-8CC4-11F75016490A}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{A83C1F77-79F8-42DB-BEB6-3D076A9B861F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe No File
FirewallRules: [{6560914F-F048-4C98-BA16-1E936B357C98}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File
FirewallRules: [{C7543C50-5037-4185-9A57-D035EF908A2E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3147\Agent.exe No File
FirewallRules: [{A32C0716-3C5C-4EDA-8F75-D519C9C4598F}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File
FirewallRules: [{B2E143F2-F8A4-40A1-8C69-0BA09AEB0F59}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe No File
FirewallRules: [{8A2C36C0-A151-4A7D-9F71-6471CD22DA57}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File
FirewallRules: [{C193B8B8-B1CD-4CA4-BDE0-130D6B248242}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3182\Agent.exe No File
FirewallRules: [{3A8A38D5-72FF-4078-A8B9-5D19A87663DA}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File
FirewallRules: [{1D5BE10F-19BB-44C8-8441-2C5C233E7348}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe No File
FirewallRules: [{AFCDDF1C-D2E5-4791-B563-2E94819C2CE1}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File
FirewallRules: [{35E64F80-55EA-4BE9-B0B7-2012EF3E487E}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3235\Agent.exe No File
FirewallRules: [{4ABDC258-E1CB-4899-9F39-DE755B8CDC3F}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File
FirewallRules: [{F370076F-2951-4158-93EA-7B5A763FCB47}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe No File
FirewallRules: [{E57B439B-BC76-4041-8BF6-75D2F6D233A6}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File
FirewallRules: [{0D5FF9FD-F978-4457-928E-11C2F83E2C62}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe No File
FirewallRules: [{4F219C29-AED5-405C-AEFB-D088C412D89C}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File
FirewallRules: [{051288DA-A1B3-45F0-9DD5-8B566E9A71D8}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe No File
FirewallRules: [{8EC2E6A3-67D0-46DC-B47D-73A5FA7CA9EC}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File
FirewallRules: [{E9EBEB30-53DB-43EE-BE98-8CC06C44CF93}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Divinity - Original Sin\Shipping\EoCApp.exe No File
FirewallRules: [{2914E838-2CAD-448E-93FB-9D1DDA75F37C}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{85FDC0DC-C090-4F85-AEEB-18162F7565D2}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{F9AA6261-9104-4B75-87BA-F2957A054EAB}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File
FirewallRules: [{2F333577-E3AA-46BD-BF0D-B4C1D56DBC0B}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\EasyAntiCheat\EasyAntiCheat.exe No File
FirewallRules: [TCP Query User{056DD655-47AC-4E3D-ACEC-FCA0CAC4EB43}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File
FirewallRules: [UDP Query User{BB246DED-9D6D-495F-967B-533C38E2F032}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe No File
FirewallRules: [{B869FD31-D289-4DA9-8C80-97256646F9F5}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{2D22DE02-C41D-4655-A277-8B2D65621BA7}] => (Allow) D:\Program Files (x86)\SteamLibrary\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe No File
FirewallRules: [{73B3127F-74F4-40F3-8904-2C47F2585CAA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{CC70935D-EB57-4A59-AF57-BD800DC2B458}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{E4349180-BD0D-465F-A4E4-ABF292A34538}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{4DC2B4AD-AE84-4ED9-B0F3-5AA7B2729090}] => (Allow) C:\Program Files (x86)\Steam2\bin\cef\cef.win7\steamwebhelper.exe No File

*****************

Restore point was successfully created.
Processes closed successfully.
"C:\Users\victor.avdias\AppData\Local\{01801827-6513-4a10-9443-a405dbafb4d3}" => not found
HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B0-F1D4349F0000} => removed successfully
HKU\S-1-5-21-1137961632-259276873-1674078284-1002_Classes\CLSID\{0783EB25-59F8-4F02-B6B1-F1D4349F0000} => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BB FlashBack 2 => removed successfully
HKLM\Software\Classes\CLSID\{A8065B9E-193F-4797-B62D-8F6321E7FCCB} => not found
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\QuickShare => removed successfully
HKLM\Software\Classes\CLSID\{A8065B9E-193F-4797-B62D-8F6321E7FCCB} => not found
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\PowerISO => removed successfully
HKLM\Software\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => not found
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\PowerISO => removed successfully
HKLM\Software\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A998079-7B99-4A48-9A32-79173B014453}" => not found
"C:\WINDOWS\System32\Tasks\bkuhAoSJcXQpTtpNWuU" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkuhAoSJcXQpTtpNWuU" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{80891717-F5B0-4ABB-B528-02CD33D63ED4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80891717-F5B0-4ABB-B528-02CD33D63ED4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9AC66348-1D98-4E4B-904A-3130532A985B}" => not found
"C:\WINDOWS\System32\Tasks\bkusGeDCEFIcvBdOSlJ" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bkusGeDCEFIcvBdOSlJ" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D35DCFAF-4425-4CAB-A4F9-E5EABECE31CA}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\goloader1" => removed successfully
"C:\WINDOWS\Tasks\bkuhAoSJcXQpTtpNWuU.job" => not found
"C:\WINDOWS\Tasks\bkusGeDCEFIcvBdOSlJ.job" => not found
"VirusTotal: C:\Users\victor.avd" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{EA456565-E953-46D9-96CD-D23B9FAC3152}D:\gcantixit\gclauncher.new.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{07DE9FC4-5E5A-4655-9D92-A251ED9804C6}D:\gcantixit\gclauncher.new.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{5FF5AD42-939A-45DA-86EC-80F4B49831E0}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{019538BE-A126-4B75-A9FB-DC371C4666F8}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{4CD4645C-9D96-4BB8-84CF-5C4258B25E1A}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{7B479F83-2CE4-4CEB-B25F-4FD8139271CC}C:\users\victor.avdias\appdata\roaming\spotify\spotify.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{63D34267-4874-4C04-8715-3C7C71A7059E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D5C919B1-DD4E-4095-A3BD-027838F7F71D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BDA0E642-4672-410B-8371-48D693DB79A8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EFAB59CB-916E-46B4-9C2A-BCC8AD72A85C}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{06ACD42F-9DCA-4E38-A8C2-EFC7B635C648}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7F8A8F64-311D-4DD0-BB70-C2949DC6C37D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B73ECC35-4CBE-43CA-B52C-8FBFC7125AAF}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2A3197A4-32EB-4C20-B4CD-29B2637BC18D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7189BB17-7687-48EA-B554-0AF84B9C0AE1}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B7305920-6EBE-4C59-B31A-3B882EF3AE22}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4674792F-3556-4CC9-A385-3DBD14D61E0D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6878256F-D676-4484-8945-E334C89B3995}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{ADDD66D9-DB90-4486-8334-794E05E89FB8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{36E45D9D-B42C-4EE0-9159-242BF95B87EE}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{922CB223-7EBD-433E-A21C-5EBD7EFC37E8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8B564AAC-FA5A-4718-9D27-BA5B70B4F0B7}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{66D6460D-BCE6-4A45-92A5-CF3FC2747CF1}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{24A24EC5-5B1E-454F-B6AF-1D6615E98743}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5EE35ED8-E215-4805-A3E3-AEE173DC5FEC}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E241F745-19E0-40ED-AC45-C64F72C750E6}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8F8F8B93-7BBD-4F5D-AAAC-7C31E510460D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{36A13E40-46A8-4BC4-B5BB-3482B39989A2}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F6B030F4-F9D7-4387-A879-0405F41C9A7A}D:\program files (x86)\electronic arts\dead space\dead space.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{831645EB-0329-4598-BCA4-9CE5B66B8842}D:\program files (x86)\electronic arts\dead space\dead space.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2BC13282-4776-4190-AB51-AF0C3253DE16}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{04887266-C004-437E-B459-F9222B03A739}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BB559364-178B-45D9-8CC4-11F75016490A}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A83C1F77-79F8-42DB-BEB6-3D076A9B861F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6560914F-F048-4C98-BA16-1E936B357C98}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C7543C50-5037-4185-9A57-D035EF908A2E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A32C0716-3C5C-4EDA-8F75-D519C9C4598F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B2E143F2-F8A4-40A1-8C69-0BA09AEB0F59}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8A2C36C0-A151-4A7D-9F71-6471CD22DA57}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C193B8B8-B1CD-4CA4-BDE0-130D6B248242}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3A8A38D5-72FF-4078-A8B9-5D19A87663DA}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1D5BE10F-19BB-44C8-8441-2C5C233E7348}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AFCDDF1C-D2E5-4791-B563-2E94819C2CE1}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{35E64F80-55EA-4BE9-B0B7-2012EF3E487E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4ABDC258-E1CB-4899-9F39-DE755B8CDC3F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F370076F-2951-4158-93EA-7B5A763FCB47}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E57B439B-BC76-4041-8BF6-75D2F6D233A6}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0D5FF9FD-F978-4457-928E-11C2F83E2C62}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4F219C29-AED5-405C-AEFB-D088C412D89C}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{051288DA-A1B3-45F0-9DD5-8B566E9A71D8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8EC2E6A3-67D0-46DC-B47D-73A5FA7CA9EC}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E9EBEB30-53DB-43EE-BE98-8CC06C44CF93}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2914E838-2CAD-448E-93FB-9D1DDA75F37C}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{85FDC0DC-C090-4F85-AEEB-18162F7565D2}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F9AA6261-9104-4B75-87BA-F2957A054EAB}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2F333577-E3AA-46BD-BF0D-B4C1D56DBC0B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{056DD655-47AC-4E3D-ACEC-FCA0CAC4EB43}C:\program files\java\jre1.8.0_45\bin\javaw.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{BB246DED-9D6D-495F-967B-533C38E2F032}C:\program files\java\jre1.8.0_45\bin\javaw.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B869FD31-D289-4DA9-8C80-97256646F9F5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2D22DE02-C41D-4655-A277-8B2D65621BA7}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{73B3127F-74F4-40F3-8904-2C47F2585CAA}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CC70935D-EB57-4A59-AF57-BD800DC2B458}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E4349180-BD0D-465F-A4E4-ABF292A34538}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4DC2B4AD-AE84-4ED9-B0F3-5AA7B2729090}" => removed successfully


The system needed a reboot.

==== End of Fixlog 14:13:11 ====

 

Link to post
Share on other sites

Hey Murphy,

Thanks for your help. 

Unfortunately, I'm still having some issues. I'm providing a few screen captures (attached) so you can see what I mean.

  1. Google redirection -> I typed "test search". Firstly the address bar tried to reach out to Google.com.br (Brazilian domain for Google) correctly, because I live here in Brazil. But when the page finally ran, the result came in Google.ga (Gabon, a totally different country in another continent, in Africa).  - files google brasil and google gabon
  2. Upon visiting YouTube, for example, you can see that first it loads the "correct" advertisers on top (such as Coca-Cola's promo video). Then after a few seconds it refreshes and delivers those stupid ads (Viagra ads, scam sites for "easy money online", and the "Aura Ad" banner on the top-right corner). - files normal yt ads and dumb yt ads
  3. I try to download Chrome off of regular Google, but It keeps redirecting me to the Gabon website. And finally, upon running the installer, it says it could not connect to the internet. - files chrome installer and chrome download 
  4. I do have Avira installed, but even after clicking it the interface won't open... 

This makes me wonder if there is some routing virus that I'm experiencing... Something that won't let me reach certain DNS or webpages, or deny access to my anti-virus software. Also the ad delivery is just blatant wrong. No matter what pages I open or websites I visit, I only get Viagra and the R$1900,00 / week scam website.

Did you get the whole picture now?

chrome download.JPG

chrome installer.jpg

dumb yt ads.jpg

google brasil.jpg

google gabon.JPG

normal yt ads.jpg

Link to post
Share on other sites

Please do thiis, then run another scan with Malwarebytes and post both logs for me:
- - -

  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below


Link to post
Share on other sites

You have some suspicious extensions in Chrome that came in roughly the same time as your malware:

CHR Extension: (Chrome Media Router) - C:\Users\victor.avdias\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-02-16]
CHR Extension: (chrome_filter) - C:\Users\victor.avdias\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\ckbjifmmloleglbpjjafmaohbgachggj [2019-02-16]

Please follow the instructions in this link:  https://support.google.com/chrome/answer/2765944?co=GENIE.Platform%3DDesktop&hl=en to Remove unwanted ads, pop-ups & malware and Reset your browser settings in Chrome.

Once that's done, please let me know if you still have issues.

Link to post
Share on other sites

That's good to hear, but I'd like you to run one more scan just to be sure we have everything:


Download ESET Online Scanner and save it to your desktop.

  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • Click on Get Started.
  • Another window will appear - select Get Started. Select whether you would like to send anonymous data to ESET.
  • Click on the Full Scan option.
  • Click on the option to Enable ESET to detect and remove potentially unwanted applications, and select Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop with a name like ESETlog.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • On your desktop, a file will be created called ESETlog.txt. Open it, then copy and paste its contents into your next reply.

Link to post
Share on other sites

Hey Murphy, you're right. Upon searching anything on google, even though the domain is fine (google.com.br), I get some crazy trackers on the URL. Running a TEST SEARCH again, I get the following line on the address bar:

https://www.google.com/search?q=test+search&amp;rlz=1C1SQJL_pt-BRBR836BR836&amp;oq=test+search&amp;aqs=chrome.0.69i59j0l5.1648j0j7&amp;sourceid=chrome&amp;ie=UTF-8

From what I've researched, it seems that these are search trackers (the oq=, aqs=, etc) 

I did the browser clean up as requested on the link you provided (google official support link), but chrome wasn't able to run the malware search routine (check attachment).

 

 

Capture.JPG

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.