fbi moneypak virus

C

chikenfoot

New Member
Thread author
May 30, 2013
14
have downloaded OTL and aswMBR to a mem stick but cannot run as fbi screen comes up after logging into windows when started normally, and sytem will not boot up in safe mode. also tried pressing f8 after selecting start windows normally to try to boot from usb memory stick to no avail.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.
 
C

chikenfoot

New Member
Thread author
May 30, 2013
14
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-05-2013 01
Ran by SYSTEM on 30-05-2013 21:16:20
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-13] (Realtek Semiconductor)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [x]
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKLM-x32\...\Run: [dellsupportcenter] "c:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe" [1255088 2013-05-27] (AVG Secure Search)
HKU\Chikenfoot\...\Run: [dg] C:\Users\Chikenfoot\AppData\Roaming\Microsoft\RSBOT.exe [x]
HKU\Chikenfoot\...\Run: [SansaDispatch] C:\Users\Chikenfoot\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [613888 2013-04-27] (SanDisk Corporation)
HKU\Chikenfoot\...\Run: [ROC_ROC_APR2013_AV] C:\Users\Chikenfoot\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid d0cd2c9c845b47d182342104e4a2ffb2-86a25157b67a51fcc20b8a31f63a59c2000d6af5 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [x]
HKU\Chikenfoot\...\Winlogon: [Shell] explorer.exe,C:\Users\Chikenfoot\AppData\Roaming\skype.dat [161280 2011-11-17] (HSN Software LLC) <==== ATTENTION
HKU\Guest\...\Run: [Best Buy pc app] C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]
HKU\Guest\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4240760 2010-09-23] (Microsoft Corporation)
HKU\Guest\...\Run: [dg] C:\Users\Guest\AppData\Roaming\Microsoft\RSBOT.exe [x]
HKU\Guest\...\Run: [QuickPhrase] "C:\Program Files (x86)\TypingMaster\QuickPhrase\quickphrase.exe" [x]
HKU\Guest\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [x]
HKU\Guest\...\Run: [SansaDispatch] C:\Users\Guest\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [x]
HKU\Guest\...\Run: [RebateInformer] C:\PROGRA~2\REBATE~1\REBATE~1.EXE /STARTUP [x]
HKU\Guest\...\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /schedule 300000 [4932056 2012-11-12] (Exent Technologies Ltd.)
HKU\Love and Peace\...\Run: [Best Buy pc app] C:\Users\Love and Peace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Love and Peace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
S2 vToolbarUpdater15.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-27] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-29] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-05-27] (AVG Technologies)
S2 X5XSEx_Pr143; C:\Program Files (x86)\Free Ride Games\X5XSEx_Pr143.Sys [56136 2012-08-02] (Exent Technologies Ltd.)
S2 MCSTRM; No ImagePath
S2 mrtRate; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-30 21:16 - 2013-05-30 21:16 - 00000000 ____D C:\FRST
2013-05-30 09:40 - 2013-05-30 12:36 - 00000004 ____A C:\Users\Chikenfoot\Application Data\skype.ini
2013-05-30 09:40 - 2013-05-30 12:36 - 00000004 ____A C:\Users\Chikenfoot\AppData\Roaming\skype.ini
2013-05-30 09:37 - 2013-05-30 10:00 - 00000336 ___AH C:\Windows\Tasks\{42939782-2A54-4C6F-86F2-4477B2211B63}.job
2013-05-30 09:37 - 2013-05-30 09:37 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\94b25045-e8dc-41b0-9948-88010b369249ad
2013-05-30 09:37 - 2013-05-30 09:37 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\94b25045-e8dc-41b0-9948-88010b369249ad
2013-05-30 09:37 - 2013-05-30 09:37 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\94b25045-e8dc-41b0-9948-88010b369249ad
2013-05-25 13:46 - 2013-05-25 14:01 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Mixxx
2013-05-25 13:46 - 2013-05-25 14:01 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\Mixxx
2013-05-25 13:46 - 2013-05-25 14:01 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\Mixxx
2013-05-25 13:44 - 2013-05-25 13:44 - 00001947 ____A C:\Users\Guest\Desktop\Digital DJ Pro.lnk
2013-05-25 13:43 - 2013-05-25 13:44 - 00000000 ____D C:\Program Files (x86)\Digital DJ Pro
2013-05-17 01:44 - 2013-05-17 01:45 - 02137424 ____A (Solid State Networks) C:\Users\Chikenfoot\Downloads\install_flashplayer11x32axau_mssd_aih.exe
2013-05-12 15:03 - 2013-05-30 09:41 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Realtek
2013-05-12 15:03 - 2013-05-30 09:41 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\Realtek
2013-05-12 15:03 - 2013-05-30 09:41 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\Realtek
2013-05-12 14:00 - 2013-05-18 12:48 - 00000000 ____D C:\Users\Chikenfoot\My Documents\Talent Show Song Considerations
2013-05-12 14:00 - 2013-05-18 12:48 - 00000000 ____D C:\Users\Chikenfoot\Documents\Talent Show Song Considerations
2013-05-04 14:40 - 2013-05-04 14:44 - 00000124 ___AH C:\Users\Chikenfoot\Downloads\.picasa.ini
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\AVG Security Toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\Application Data\AVG Security Toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\Application Data\AVG SafeGuard toolbar
2013-05-04 07:14 - 2013-05-27 00:12 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-05-04 07:14 - 2013-05-27 00:12 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar

==================== One Month Modified Files and Folders =======

2013-05-30 21:16 - 2013-05-30 21:16 - 00000000 ____D C:\FRST
2013-05-30 12:36 - 2013-05-30 09:40 - 00000004 ____A C:\Users\Chikenfoot\Application Data\skype.ini
2013-05-30 12:36 - 2013-05-30 09:40 - 00000004 ____A C:\Users\Chikenfoot\AppData\Roaming\skype.ini
2013-05-30 12:35 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-30 12:35 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-30 12:28 - 2013-04-03 11:20 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-30 12:28 - 2010-08-24 17:11 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
2013-05-30 12:28 - 2010-08-24 17:11 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2013-05-30 12:28 - 2010-08-24 17:11 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-05-30 12:28 - 2010-08-24 17:11 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2013-05-30 12:28 - 2010-08-24 17:11 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2013-05-30 12:28 - 2010-08-24 17:11 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-05-30 12:28 - 2010-08-24 16:57 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-05-30 12:27 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-30 12:27 - 2009-07-13 23:51 - 00089195 ____A C:\Windows\setupact.log
2013-05-30 10:16 - 2013-04-03 11:20 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-30 10:14 - 2012-04-10 18:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-30 10:08 - 2009-07-14 00:10 - 01335144 ____A C:\Windows\WindowsUpdate.log
2013-05-30 10:00 - 2013-05-30 09:37 - 00000336 ___AH C:\Windows\Tasks\{42939782-2A54-4C6F-86F2-4477B2211B63}.job
2013-05-30 09:41 - 2013-05-12 15:03 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Realtek
2013-05-30 09:41 - 2013-05-12 15:03 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\Realtek
2013-05-30 09:41 - 2013-05-12 15:03 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\Realtek
2013-05-30 09:39 - 2010-08-24 18:27 - 00100042 ____A C:\Windows\PFRO.log
2013-05-30 09:38 - 2010-12-07 23:28 - 00000000 ____D C:\users\Chikenfoot
2013-05-30 09:37 - 2013-05-30 09:37 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\94b25045-e8dc-41b0-9948-88010b369249ad
2013-05-30 09:37 - 2013-05-30 09:37 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\94b25045-e8dc-41b0-9948-88010b369249ad
2013-05-30 09:37 - 2013-05-30 09:37 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\94b25045-e8dc-41b0-9948-88010b369249ad
2013-05-30 09:35 - 2011-06-08 22:17 - 00000000 ____D C:\ProgramData\MFAData
2013-05-30 09:35 - 2011-06-08 22:17 - 00000000 ____D C:\ProgramData\Application Data\MFAData
2013-05-29 18:35 - 2009-07-14 00:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-29 12:37 - 2011-12-01 17:13 - 00000000 ____D C:\Users\Chikenfoot\Application Data\SoftGrid Client
2013-05-29 12:37 - 2011-12-01 17:13 - 00000000 ____D C:\Users\Chikenfoot\AppData\Roaming\SoftGrid Client
2013-05-29 12:26 - 2011-03-25 17:09 - 00012800 ____A C:\Users\Chikenfoot\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-29 12:26 - 2011-03-25 17:09 - 00012800 ____A C:\Users\Chikenfoot\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-29 12:26 - 2011-03-25 17:09 - 00012800 ____A C:\Users\Chikenfoot\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-27 00:12 - 2013-05-04 07:14 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-05-27 00:12 - 2013-05-04 07:14 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
2013-05-27 00:12 - 2013-02-10 22:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-25 14:34 - 2010-08-24 16:46 - 00000000 ____D C:\ProgramData\Application Data\Adobe
2013-05-25 14:34 - 2010-08-24 16:46 - 00000000 ____D C:\ProgramData\Adobe
2013-05-25 14:08 - 2012-12-28 18:32 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\CrashDumps
2013-05-25 14:08 - 2012-12-28 18:32 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\CrashDumps
2013-05-25 14:08 - 2012-12-28 18:32 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\CrashDumps
2013-05-25 14:01 - 2013-05-25 13:46 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Mixxx
2013-05-25 14:01 - 2013-05-25 13:46 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\Mixxx
2013-05-25 14:01 - 2013-05-25 13:46 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\Mixxx
2013-05-25 13:45 - 2011-11-20 17:33 - 00000000 ____D C:\Users\Chikenfoot\Desktop\Alexis
2013-05-25 13:44 - 2013-05-25 13:44 - 00001947 ____A C:\Users\Guest\Desktop\Digital DJ Pro.lnk
2013-05-25 13:44 - 2013-05-25 13:43 - 00000000 ____D C:\Program Files (x86)\Digital DJ Pro
2013-05-25 08:49 - 2012-12-13 18:53 - 00000927 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-05-25 08:49 - 2012-12-13 18:53 - 00000927 ____A C:\ProgramData\Desktop\AVG 2013.lnk
2013-05-25 06:04 - 2013-04-03 11:25 - 00002145 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-25 06:04 - 2013-04-03 11:25 - 00002145 ____A C:\ProgramData\Desktop\Google Chrome.lnk
2013-05-18 12:48 - 2013-05-12 14:00 - 00000000 ____D C:\Users\Chikenfoot\My Documents\Talent Show Song Considerations
2013-05-18 12:48 - 2013-05-12 14:00 - 00000000 ____D C:\Users\Chikenfoot\Documents\Talent Show Song Considerations
2013-05-18 09:43 - 2011-02-20 22:15 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Windows Live
2013-05-18 09:43 - 2011-02-20 22:15 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\Windows Live
2013-05-18 09:43 - 2011-02-20 22:15 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\Windows Live
2013-05-17 03:17 - 2012-04-10 18:45 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-17 03:17 - 2011-07-10 18:32 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-17 02:00 - 2010-12-07 23:47 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-17 01:45 - 2013-05-17 01:44 - 02137424 ____A (Solid State Networks) C:\Users\Chikenfoot\Downloads\install_flashplayer11x32axau_mssd_aih.exe
2013-05-04 15:38 - 2012-10-26 09:08 - 00000000 ____D C:\Users\Chikenfoot\Desktop\spam
2013-05-04 14:44 - 2013-05-04 14:40 - 00000124 ___AH C:\Users\Chikenfoot\Downloads\.picasa.ini
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\Users\Chikenfoot\Local Settings\Application Data\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\Users\Chikenfoot\AppData\Local\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\AVG Security Toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\Application Data\AVG Security Toolbar
2013-05-04 07:15 - 2013-05-04 07:15 - 00000000 ____D C:\ProgramData\Application Data\AVG SafeGuard toolbar
2013-05-01 19:56 - 2012-12-25 11:59 - 00000000 ____D C:\Users\Chikenfoot\Desktop\Mac

Other Malware:
===========
C:\Users\Chikenfoot\AppData\Roaming\skype.dat
C:\Users\Chikenfoot\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-23 23:00:28
Restore point made on: 2013-04-01 12:02:25
Restore point made on: 2013-04-01 12:03:42
Restore point made on: 2013-04-12 16:23:50
Restore point made on: 2013-04-19 21:11:38
Restore point made on: 2013-04-26 18:32:30
Restore point made on: 2013-05-17 02:00:42

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3892.52 MB
Available physical RAM: 3310.81 MB
Total Pagefile: 3890.67 MB
Available Pagefile: 3303.55 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:192.27 GB) NTFS (Disk=0 Partition=3)
Drive e: (PODPOD) (Removable) (Total:0.48 GB) (Free:0.41 GB) FAT32 (Disk=2 Partition=1)
Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:5.34 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: F6996217)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 491 MB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=491 MB) - (Type=0B)


Last Boot: 2013-04-27 20:36

==================== End Of Log ============================
 
C

chikenfoot

New Member
Thread author
May 30, 2013
14
I also tried following the instructions in the Malware Removal Guide Forum for this virus, but when choosing safe mode with networking it then asks for user logon password and after inputing that, it puts up a shutting down screen and returns to normal mode. When you logon user then in normal mode, it puts up the fbi piracy moneypack screen.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Now please download this file and save it to your Flash Drive.

[attachment=4681]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.
 

Attachments

  • fixlist.txt
    1.9 KB · Views: 98
C

chikenfoot

New Member
Thread author
May 30, 2013
14
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-05-2013 01
Ran by SYSTEM at 2013-05-31 06:34:31 Run:1
Running from E:\
Boot Mode: Recovery
==============================================

HKEY_USERS\Chikenfoot\Software\Microsoft\Windows\CurrentVersion\Run\\dg => Value deleted successfully.
HKEY_USERS\Chikenfoot\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKEY_USERS\Guest\Software\Microsoft\Windows\CurrentVersion\Run\\dg => Value deleted successfully.
C:\Users\Chikenfoot\Application Data\skype.ini => Moved successfully.
C:\Users\Chikenfoot\AppData\Roaming\skype.ini => File/Directory not found.
C:\Users\Chikenfoot\Local Settings\Application Data\94b25045-e8dc-41b0-9948-88010b369249ad => Moved successfully.
C:\Users\Chikenfoot\Local Settings\94b25045-e8dc-41b0-9948-88010b369249ad => File/Directory not found.
C:\Users\Chikenfoot\AppData\Local\94b25045-e8dc-41b0-9948-88010b369249ad => File/Directory not found.
C:\Users\Chikenfoot\Application Data\skype.ini => File/Directory not found.
C:\Users\Chikenfoot\AppData\Roaming\skype.ini => File/Directory not found.
C:\Users\Chikenfoot\Local Settings\Application Data\94b25045-e8dc-41b0-9948-88010b369249ad => File/Directory not found.
C:\Users\Chikenfoot\Local Settings\94b25045-e8dc-41b0-9948-88010b369249ad => File/Directory not found.
C:\Users\Chikenfoot\AppData\Local\94b25045-e8dc-41b0-9948-88010b369249ad => File/Directory not found.
C:\Users\Chikenfoot\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => Moved successfully.
C:\Users\Chikenfoot\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => File/Directory not found.
C:\Users\Chikenfoot\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => File/Directory not found.

==== End of Fixlog ====
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Great to hear that....... :) :dance3:

STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
STEP 2: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply


Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 
Last edited by a moderator:
C

chikenfoot

New Member
Thread author
May 30, 2013
14
# AdwCleaner v2.301 - Logfile created 05/31/2013 at 07:18:49
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Chikenfoot - FOOT-TOP
# Boot Mode : Normal
# Running from : C:\Users\Chikenfoot\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\Common Files\AVG Secure Search
File Deleted : C:\Windows\SysWOW64\conduitEngine.tmp
Folder Deleted : C:\Program Files (x86)\Yontoo Layers Runtime
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\CHIKEN~1\AppData\Local\Temp\AskSearch
Folder Deleted : C:\Users\Chikenfoot\AppData\Local\Conduit
Folder Deleted : C:\Users\Chikenfoot\AppData\Local\PackageAware
Folder Deleted : C:\Users\Chikenfoot\AppData\Local\Savings Sidekick
Folder Deleted : C:\Users\Chikenfoot\AppData\LocalLow\BabylonToolbar
Folder Deleted : C:\Users\Chikenfoot\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Chikenfoot\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\extensions\crossriderapp5060@crossrider.com

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\Savings Sidekick
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0005060.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0005060.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0005060.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2418376
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Savings Sidekick_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Savings Sidekick_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dhdepfaagokllfmhfbcfmocaeigmoebo
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55E7026-EF2A-4A17-AAA7-DB98EA3FD1B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Savings Sidekick
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Updater Service
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17267

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://www2.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\prefs.js

C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.appId", "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}");
Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "b4b799a80000000000001c659d07ebba");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15669");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "irhnew");
Deleted : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://search.babylon.com/?babsrc=TB_def&mntrId=[...]
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.8.3.8");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.8.3.8");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.8.3.823:41:09");
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationThankYouPage", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationTime", 1353818431);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.searchUserConifrmation", false[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setHomepage", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setNewTab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setSearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.active", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.addressbar", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.value", "1353818431");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_aoi.value", "1353818431");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_blocklist.expiration", "Thu Nov 29 2012 22:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_blocklist.value", "%22nonexistantdomain.com[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_country_code.expiration", "Sat Dec 01 2012 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_country_code.value", "%22US%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_crr.value", "1354244099");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_hotfix20111102645.value", "%221%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_parent_zoneid.value", "%2214019%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_pc_20120828.value", "1353819121569");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_product_id.value", "%221265%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_zoneid.value", "%22110731%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.dbtest.value", "1353819092472");
Deleted : user_pref("extensions.crossriderapp5060.5060.description", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.domain", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.group", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.homepage", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.iframe", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.InstallerIdentifiers.expiration", "Fri Feb 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.InstallerIdentifiers.value", "%7B%22installe[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.value", "38");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.value", "0");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.expiration", "Fri Nov 30[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.SoftwareDetected.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.SoftwareDetected.value", "%7B%22AnySoftware%[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.name", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.newtab", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.opensearch", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.code", "appAPI._cr_config={appID:funct[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.ver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.code", "if((typeof isBackground===\"u[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.code", "var CrossriderDebugManager=(f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.code", "(function(a){appAPI.queueMana[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.code", "var CrossriderInitializerPlug[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com |[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_0", "17,14,16,47,1000015");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_1", "17,14,13,16,15,4,1,21,22,100[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsversion", 16);
Deleted : user_pref("extensions.crossriderapp5060.5060.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp5060.5060.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.thankyou", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp5060.5060.ver", 38);
Deleted : user_pref("extensions.crossriderapp5060.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp5060.apps", "5060");
Deleted : user_pref("extensions.crossriderapp5060.bic", "13b35e7839f2194a15c6e0094fe225d5");
Deleted : user_pref("extensions.crossriderapp5060.cid", 5060);
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1353819063);
Deleted : user_pref("extensions.crossriderapp5060.lastcheck", 22570733);
Deleted : user_pref("extensions.crossriderapp5060.lastcheckitem", 22570735);
Deleted : user_pref("extensions.crossriderapp5060.modetype", "production");
Deleted : user_pref("extensions.crossriderapp5060.reportInstall", true);

-\\ Google Chrome v27.0.1453.94

File : C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [24213 octets] - [31/05/2013 07:16:21]
AdwCleaner[S1].txt - [24365 octets] - [31/05/2013 07:18:49]

########## EOF - C:\AdwCleaner[S1].txt - [24426 octets] ##########
 
C

chikenfoot

New Member
Thread author
May 30, 2013
14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Home Premium x64
Ran by Chikenfoot on Fri 05/31/2013 at 7:28:31.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{22222222-2222-2222-2222-220022502260}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\wow6432node\clsid\{22222222-2222-2222-2222-220022502260}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9506093D-C927-48B3-A4E6-494EBA2E2BFC}



~~~ Files

Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\ProgramData\free ride games"
Successfully deleted: [Folder] "C:\Users\Chikenfoot\appdata\local\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Chikenfoot\appdata\local\dealcabby"
Successfully deleted: [Folder] "C:\Program Files (x86)\free ride games"
Successfully deleted: [Folder] "C:\Users\Chikenfoot\AppData\Roaming\microsoft\windows\start menu\programs\free ride games"



~~~ FireFox

Successfully deleted: [File] C:\Users\Chikenfoot\AppData\Roaming\mozilla\firefox\profiles\8hsnw4fo.default\extensions\eoxnxkvoyg@eoxnxkvoyg.org.xpi [Tracur]
Successfully deleted the following from C:\Users\Chikenfoot\AppData\Roaming\mozilla\firefox\profiles\8hsnw4fo.default\prefs.js

user_pref("browser.startup.homepage", "hxxp://mysearch.avg.com/?cid={D94F1843-0057-4531-A321-28EC5BE484AD}&mid=d0cd2c9c845b47d182342104e4a2ffb2-86a25157b67a51fcc20b8a31f63a59c
user_pref("extensions.crossrider.bic", "13b35e7839f2194a15c6e0094fe225d5");
Emptied folder: C:\Users\Chikenfoot\AppData\Roaming\mozilla\firefox\profiles\8hsnw4fo.default\minidumps [20 files]



~~~ Chrome

Dumping contents of C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aadcdbddgegfggdadcgfgbdbdeddgcgd
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aagedjgeggdhdidfdcdjdcdhgcdjgbdb
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aadcdbddgegfggdadcgfgbdbdeddgcgd\background.js
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aadcdbddgegfggdadcgfgbdbdeddgcgd\ContentScript.js
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aadcdbddgegfggdadcgfgbdbdeddgcgd\manifest.json
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aagedjgeggdhdidfdcdjdcdhgcdjgbdb\background.js
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aagedjgeggdhdidfdcdjdcdhgcdjgbdb\ContentScript.js
C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default\aagedjgeggdhdidfdcdjdcdhgcdjgbdb\manifest.json

Successfully deleted: [Folder] C:\Users\Chikenfoot\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 05/31/2013 at 7:35:31.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
C

chikenfoot

New Member
Thread author
May 30, 2013
14
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_24

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 2571857920

=======================================

I cannot locate mbar-log.txt file, it found 6 instances of malware the first time and zero the second
 
C

chikenfoot

New Member
Thread author
May 30, 2013
14
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.31.04

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Chikenfoot :: FOOT-TOP [administrator]

5/31/2013 9:28:37 AM
mbam-log-2013-05-31 (09-28-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281036
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Chikenfoot\AppData\Local\Temp\PricePeep_BetterInstaller_2012-10-02.exe (Adware.Agent) -> Quarantined and deleted successfully.

(end)
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />

STEP 2: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />

STEP 3: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
 
Last edited by a moderator:
C

chikenfoot

New Member
Thread author
May 30, 2013
14
Eset scan results

C:\ProgramData\Microsoft\Windows\DRM\26C2.tmp Win64/Olmarik.AH trojan
C:\ProgramData\Microsoft\Windows\DRM\32C3.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Microsoft\Windows\DRM\26C2.tmp Win64/Olmarik.AH trojan
C:\Users\All Users\Microsoft\Windows\DRM\32C3.tmp Win64/Olmarik.AD trojan
C:\Users\Chikenfoot\AppData\Local\Temp\dealcabby.exe Win32/Adware.DealCabby.A application
C:\Users\Chikenfoot\AppData\Local\Temp\jar_cache4492946081540546286.tmp a variant of Java/Exploit.CVE-2012-0507.FA trojan
C:\Users\Chikenfoot\AppData\LocalLow\62FE.tmp.dat a variant of Win32/Kryptik.BCBX trojan
C:\Users\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5ddf10d2-6b94e1dc Java/Exploit.CVE-2012-1723.FZ trojan
C:\Users\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\e16a19c-4e2eeacc a variant of Java/Exploit.CVE-2013-0422.CF trojan
C:\Users\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-5cb5eb40 Java/TrojanDownloader.OpenStream.NCM trojan
 
C

chikenfoot

New Member
Thread author
May 30, 2013
14
kaslog.txt

Status: Deleted (events: 10)
6/1/2013 10:13:18 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\26C2.tmp High
6/1/2013 10:13:18 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\26C2.tmp//MPRESS High
6/1/2013 10:12:49 AM Deleted Trojan program Trojan.Win64.TDSS.a C:\Documents and Settings\All Users\Microsoft\Windows\DRM\32C3.tmp High
6/1/2013 10:17:21 AM Deleted Trojan program Exploit.Win32.CVE-2011-3402.a C:\Documents and Settings\Chikenfoot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5ZXYDW33\38830b9e899be47dabd4307c64e72747[1].eot High
6/1/2013 10:17:21 AM Deleted Trojan program Exploit.Win32.CVE-2011-3402.a C:\Documents and Settings\Chikenfoot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5ZXYDW33\38830b9e899be47dabd4307c64e72747[1].eot//EOT High
6/1/2013 10:18:25 AM Deleted Trojan program HEUR:Exploit.Java.CVE-2012-0507.gen C:\Documents and Settings\Chikenfoot\AppData\Local\Temp\jar_cache4492946081540546286.tmp High
6/1/2013 10:22:53 AM Deleted Trojan program Trojan-Dropper.Win32.TDSS.axgi C:\Documents and Settings\Chikenfoot\AppData\LocalLow\62FE.tmp.dat High
6/1/2013 10:23:02 AM Deleted Trojan program HEUR:Exploit.Java.CVE-2012-1723.gen C:\Documents and Settings\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5ddf10d2-6b94e1dc High
6/1/2013 10:22:57 AM Deleted Trojan program HEUR:Exploit.Java.CVE-2013-0422.gen C:\Documents and Settings\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\e16a19c-4e2eeacc High
6/1/2013 10:23:15 AM Deleted Trojan program HEUR:Exploit.Java.CVE-2013-0431.gen C:\Documents and Settings\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\433505a1-5651f0fd High
Status: Disinfected (events: 3)
6/1/2013 10:23:11 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.er C:\Documents and Settings\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-5cb5eb40 High
6/1/2013 10:23:11 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.er C:\Documents and Settings\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-5cb5eb40/bingo/efir.class High
6/1/2013 10:23:11 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.er C:\Documents and Settings\Chikenfoot\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-5cb5eb40/bingo/haskalu.class High
 
C

chikenfoot

New Member
Thread author
May 30, 2013
14
Code: 
HitmanPro 3.7.5.199
www.hitmanpro.com

   Computer name . . . . : FOOT-TOP
   Windows . . . . . . . : 6.1.0.7600.X64/2
   User name . . . . . . : foot-top\Chikenfoot
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-06-01 22:29:05
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 8m 39s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 1694

   Objects scanned . . . : 1,591,319
   Files scanned . . . . : 74,435
   Remnants scanned  . . : 544,030 files / 972,854 keys

Cookies _____________________________________________________________________

   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.doubleclick.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:adinterax.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.p161.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtech.de
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:c.atdmt.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:c1.atdmt.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:eaeacom.112.2o7.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:mixxx.org
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:network.realmedia.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:server.cpmstar.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:usatoday1.112.2o7.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:yieldmanager.net
   C:\Users\Chikenfoot\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\0452O2XT.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\0EEYHJYK.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\1CFCCJQH.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\385XYWGW.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\5CLG0R8Q.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\6LPYGMF9.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\775B6L8A.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\B8P872P0.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\BZPEAD7Y.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\DA2754PU.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\F22DC6MS.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\H4E27FLD.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\IJN5BRLS.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\L2NKY9S6.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\L5DD5NCZ.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\NUNX8GT3.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\NWPLLDX3.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\OHPG4QIP.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\P2FEZANL.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\PPXUUJZ8.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\PRD6MT87.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\Q42LZSZ1.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\SCIUQHF8.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\ZBD51P0Y.txt
   C:\Users\Chikenfoot\AppData\Roaming\Microsoft\Windows\Cookies\ZL2BMXJL.txt
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:a1.interclick.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ad.360yield.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ad.mlnadvertising.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ad.reklamport.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ad.yieldmanager.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:adbrite.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.adk2.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.corecpm.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.creative-serving.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.e-planning.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.glispa.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.ovara.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.p161.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.pointroll.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.pubmatic.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.undertone.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.us.e-planning.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ads.vlmac.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:adtech.de
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:adtechus.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:advertising.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:apmebf.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:at.atwola.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:atdmt.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:bs.serving-sys.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:burstnet.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:casalemedia.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:collective-media.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:doubleclick.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:fastclick.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:h.atdmt.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:interclick.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:invitemedia.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:media6degrees.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:mediaplex.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:network.realmedia.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:pointroll.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:questionmarket.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:realmedia.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:revsci.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:ru4.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:serving-sys.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:smartadserver.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:specificclick.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:statcounter.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:survey.g.doubleclick.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:t.pointroll.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:track.adform.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:track.prd.inpwrd.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:tribalfusion.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:www.burstnet.com
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:yieldmanager.net
   C:\Users\Chikenfoot\AppData\Roaming\Mozilla\Firefox\Profiles\8hsnw4fo.default\cookies.sqlite:zedo.com
 

Similar threads

L
  • Locked
Waiting for reply I have my first virus
Replies
1
Views
152
Windows Malware Removal Help & Support
nasdaq
nasdaq
P
  • Locked
Microsoft Edge infected w/"yahoo search redirect virus"
Replies
7
Views
511
Windows Malware Removal Help & Support
nasdaq
nasdaq
vtqhtr413
    • Like
    • +Reputation
Guide | How To Factory Reset Windows 11 without a Password from the Login Screen
Replies
5
Views
1,158
Guides - Privacy & Security Tips
nickstar1
nickstar1

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top