PDA

View Full Version : yessearches and wajam virus


W4yneb0t
2016-04-14, 02:16
I ran a .exe from an untrusted source after scanning it with MSE and receiving a "no threats found". Immediately after running it, my user account settings were changed to never ask for permission before doing admin things, my browser homepage was set to yessearches, the programs yessearches and wajam appeared in the control panel programs list, and a bunch of gibberish-named processes appeared in the task manager. I manually removed both programs in control panel, closed the processes and reset the account settings. I also deleted the offending .exe, but I can't seem to remove its containing folder because it's "in use". I didn't reboot the PC. I used tweaking, FRST and aswmbr as instructed. In FRST, there was no "all users" checkbox. Addition.txt was too large to attach despite having the 3 things unchecked as the instructions said, so I split it up.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-04-2016
Ran by ndjokic (administrator) on NDJOKIC-PC (13-04-2016 23:09:58)
Running from C:\Users\ndjokic\Desktop\av\frst
Loaded Profiles: ndjokic (Available Profiles: ndjokic)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Logitech Inc.) C:\Program Files\Logitech\Gaming Software\LWEMon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(hxxp://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(TechSmith Corporation) C:\Program Files (x86)\Camtasia\TscHelp.exe
(hxxp://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
(Gorenie) C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
(PortableApps.com) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\ChromiumPortable.exe
(The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe
(The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe
(The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe
(The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [835072 2011-01-27] (IDT, Inc.)
HKLM\...\Run: [Start WingMan Profiler] => C:\Program Files\Logitech\Gaming Software\LWEMon.exe [190536 2010-06-14] (Logitech Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2804976 2013-10-30] (Synaptics Incorporated)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [3825176 2012-11-13] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [chromebrowser] => "C:\Windows\chromebrowser.exe"
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [3713032 2012-11-13] (Safer-Networking Ltd.)
HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\MountPoints2: {6a70d0d2-ff26-11e1-b4b9-806e6f6e6963} - F:\SWSETUP\APPINSTL\hpsoftwaresetup.exe
HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\MountPoints2: {daf1934d-3319-11e2-b636-930c393050a1} - H:\setup.exe
HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\MountPoints2: {f21576c4-3c71-11e2-9a04-402cf41c83ea} - G:\autorun\autorun.exe
ShellIconOverlayIdentifiers: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 62.2.17.60 62.2.24.162 62.2.17.61 62.2.24.158
Tcpip\..\Interfaces\{578D35C4-7A6D-4670-80A2-46D787BCE321}: [DhcpNameServer] 62.2.17.60 62.2.24.162 62.2.17.61 62.2.24.158
Tcpip\..\Interfaces\{FF11C6AE-3BBF-47EC-ADA4-DDC7154832BE}: [DhcpNameServer] 7.254.254.254

Internet Explorer:
==================
HKU\S-1-5-21-132009455-2026092721-3990303557-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ch.search.yahoo.com/?type=435371&fr=spigot-yhp-ie
SearchScopes: HKU\S-1-5-21-132009455-2026092721-3990303557-1000 -> {69168FDA-9A00-4BF6-979E-D9BE7DCAAAC4} URL = hxxps://ch.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=435371&p={searchTerms}
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-27] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-27] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1
FF NewTab: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
FF DefaultSearchEngine: yessearches
FF DefaultSearchEngine.US: data:text/plain,browser.search.defaultenginename.US=yessearches
FF SelectedSearchEngine: yessearches
FF Homepage: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
FF Keyword.URL: hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q=
FF NetworkProxy: "autoconfig_url", "http://r-1.ch/twitch.pac"
FF NetworkProxy: "socks_remote_dns", true
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_182.dll [2016-03-20] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-20] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1203133.dll [2013-06-26] (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-12-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-12-27] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @real.com/nppl3260;version=16.0.3.51 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll [2013-08-30] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-15] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.3.51 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll [2013-08-30] (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\ndjokic\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-08-30] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: ubisoft.com/uplaypc -> C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll [No File]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml [2015-11-30]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml [2016-04-13]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml [2015-11-30]
FF Extension: Rehost Image - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\rehostimage@engy.us.xpi [2016-01-22]
FF Extension: Classic Theme Restorer - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-04-10]
FF Extension: ChatZilla - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2016-04-13]
FF Extension: FoxyProxy Standard - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\foxyproxy@eric.h.jung [2016-04-13]
FF Extension: Classic Theme Restorer - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-04-10]
FF Extension: ReChat for Twitch™ - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\firefox@rechat.org.xpi [2015-05-29]
FF Extension: FoxyProxy Standard - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\foxyproxy@eric.h.jung [2016-02-18]
FF Extension: YouTube Center - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\jid1-cwbvBTE216jjpg@jetpack.xpi [2015-05-29]
FF Extension: Rehost Image - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\rehostimage@engy.us.xpi [2016-01-22]
FF Extension: ChatZilla - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2015-10-27]
FF Extension: Adblock Plus - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-23]
FF Extension: Team Liquid Streams - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\{db09811d-efff-4339-a548-8550c7238a30}.xpi [2015-05-29]
FF Extension: GsearchFinder - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi [2016-04-12]
FF Extension: ReChat for Twitch™ - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\firefox@rechat.org.xpi [2015-05-29]
FF Extension: YouTube Center - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\jid1-cwbvBTE216jjpg@jetpack.xpi [2015-05-29]
FF Extension: Adblock Plus - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-23]
FF Extension: Team Liquid Streams - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\{db09811d-efff-4339-a548-8550c7238a30}.xpi [2015-05-29]
FF HKLM-x32\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-08-30] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE..
CHR StartupUrls: Default -> "hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE.."
CHR DefaultSearchURL: Default -> hxxp://www.yessearches.com/chrome.php?q={searchTerms}&ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=nnnb
CHR DefaultSearchKeyword: Default -> yessearches
CHR Profile: C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-05]
CHR Extension: (Google Drive) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-05]
CHR Extension: (Adblock for Youtube™) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2016-03-13]
CHR Extension: (Google Search) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Tampermonkey) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-04-12]
CHR Extension: (Custom Zoom) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\flacjbeghjebdkbgdlncibepomldoebh [2016-02-08]
CHR Extension: (AdBlock) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-03-18]
CHR Extension: (RealDownloader) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2015-08-05]
CHR Extension: (Google Hangouts) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2016-03-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Gmail) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-05]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 BugreportW; C:\Program Files (x86)\yesbnd\mbat.exe [990336 2016-04-12] ()
S2 FedaryqeuleServerSrv; C:\Program Files (x86)\Fedaryqeule\FedaryqeuleServerSrv.exe [315872 2016-04-12] ()
S4 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [281656 2011-01-28] (Hewlett-Packard Company)
S4 ImDskSvc; C:\Windows\system32\imdsksvc.exe [11264 2012-07-30] (Olof Lagerkvist) [File not signed]
S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
S4 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S4 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2009-10-20] (CACE Technologies, Inc.)
S4 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
S4 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
S4 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
S4 TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [762320 2014-11-04] (Tunngle.net GmbH) [File not signed]
S4 VMAuthdService; C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe [79872 2012-08-15] (VMware, Inc.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AWEAlloc; C:\Windows\System32\DRIVERS\awealloc.sys [18384 2012-02-16] (Olof Lagerkvist)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R2 ImDisk; C:\Windows\System32\DRIVERS\imdisk.sys [38416 2012-07-30] (Olof Lagerkvist)
R0 johci; C:\Windows\System32\DRIVERS\johci.sys [26712 2011-01-18] (JMicron Technology Corp.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [47632 2009-10-20] (CACE Technologies, Inc.)
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1826048 2010-12-21] ()
S3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-16] (Tunngle.net)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [105816 2012-09-13] (Oracle Corporation)
R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [31384 2012-08-15] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [70256 2012-07-06] (VMware, Inc.)
S3 ALSysIO; \??\C:\Users\ndjokic\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-13 23:08 - 2016-04-13 23:09 - 00000000 ____D C:\FRST
2016-04-13 23:03 - 2016-04-13 23:03 - 00000207 _____ C:\Windows\tweaking.com-regbackup-NDJOKIC-PC-Windows-7-Professional-(64-bit).dat
2016-04-13 23:02 - 2016-04-13 23:10 - 00000000 ____D C:\Users\ndjokic\Desktop\av
2016-04-13 22:41 - 2016-04-13 22:48 - 00000000 ____D C:\Program Files (x86)\yesbnd
2016-04-13 22:41 - 2016-04-13 22:42 - 00000000 ____D C:\Users\ndjokic\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108
2016-04-13 22:41 - 2016-04-13 22:41 - 00014686 _____ C:\Windows\System32\Tasks\Fedaryqeule Server
2016-04-13 22:41 - 2016-04-13 22:41 - 00014508 _____ C:\Windows\System32\Tasks\Ninight Collector
2016-04-13 22:41 - 2016-04-13 22:41 - 00000000 ____D C:\Program Files (x86)\Ninight
2016-04-13 22:41 - 2016-04-13 22:41 - 00000000 ____D C:\Program Files (x86)\Fedaryqeule
2016-04-13 22:40 - 2016-04-13 22:41 - 00000000 ____D C:\Users\Public\Documents\dmp
2016-04-13 22:40 - 2016-04-13 22:40 - 02614035 _____ C:\Windows\chromebrowser.exe
2016-04-10 22:19 - 2016-04-10 23:40 - 00000000 ____D C:\Users\ndjokic\Desktop\fab ub tutorial
2016-04-01 09:35 - 2016-04-01 09:35 - 00000137 _____ C:\Users\ndjokic\Desktop\Steambirds Alliance.url
2016-03-30 22:53 - 2016-03-30 22:53 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\.mono
2016-03-30 22:53 - 2016-03-30 22:53 - 00000000 ____D C:\Users\ndjokic\AppData\LocalLow\SpryFox
2016-03-30 22:53 - 2016-03-30 22:53 - 00000000 ____D C:\ProgramData\.mono
2016-03-28 12:02 - 2016-03-28 12:02 - 00000221 _____ C:\Users\ndjokic\Desktop\TrackMania Nations Forever.url
2016-03-27 18:53 - 2016-04-13 22:03 - 00000000 ____D C:\Users\ndjokic\Documents\TrackMania
2016-03-27 18:53 - 2016-03-28 12:25 - 00000000 ____D C:\ProgramData\TrackMania
2016-03-26 11:09 - 2016-03-26 11:09 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\Crunchy Games
2016-03-26 10:46 - 2016-03-26 10:46 - 00000222 _____ C:\Users\ndjokic\Desktop\StarBreak.url
2016-03-23 17:25 - 2016-03-23 17:25 - 00085593 _____ C:\Users\ndjokic\Desktop\toocscraj.txt
2016-03-23 17:09 - 2016-03-23 17:09 - 00001149 _____ C:\Users\ndjokic\Desktop\toocsp.txt
2016-03-23 17:05 - 2016-03-23 17:05 - 00005648 _____ C:\Users\ndjokic\Desktop\toocscrdb.txt
2016-03-16 11:54 - 2016-03-16 11:56 - 00000000 ____D C:\Users\ndjokic\Desktop\kb
2016-03-14 02:08 - 2016-04-04 10:49 - 00000947 _____ C:\Users\ndjokic\Desktop\justalts.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-13 23:10 - 2015-09-11 22:43 - 00017089 _____ C:\Users\ndjokic\Desktop\sb.txt
2016-04-13 22:48 - 2015-08-05 16:34 - 00002068 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-13 22:48 - 2015-08-05 16:34 - 00002056 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-04-13 22:48 - 2014-07-23 15:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-13 22:48 - 2012-09-15 13:51 - 00001873 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-04-13 22:48 - 2012-09-15 13:51 - 00001861 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-04-13 22:48 - 2012-09-15 13:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-13 22:45 - 2012-09-15 16:09 - 00000000 ____D C:\games
2016-04-13 22:43 - 2012-09-18 10:23 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\uTorrent
2016-04-13 22:29 - 2014-07-03 21:29 - 00000000 ____D C:\Program Files (x86)\Steam
2016-04-13 22:22 - 2009-07-14 06:45 - 00021680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-13 22:22 - 2009-07-14 06:45 - 00021680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-13 22:14 - 2014-01-27 21:49 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-13 21:46 - 2012-09-18 08:37 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\Skype
2016-04-13 21:41 - 2015-04-18 17:50 - 00003229 _____ C:\Users\ndjokic\Desktop\calendar.txt
2016-04-13 19:21 - 2014-01-27 21:49 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-13 19:01 - 2015-08-06 00:09 - 00000000 ____D C:\Users\ndjokic\Desktop\job stuff
2016-04-13 18:58 - 2013-09-06 20:32 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\TS3Client
2016-04-13 14:12 - 2015-05-05 14:14 - 00006812 _____ C:\Users\ndjokic\Desktop\todo coding.txt
2016-04-13 13:35 - 2012-10-11 21:28 - 00000000 ____D C:\Users\ndjokic\.VirtualBox
2016-04-12 01:00 - 2013-02-02 21:17 - 00000000 ____D C:\Users\ndjokic\Desktop\dls
2016-04-11 21:41 - 2013-07-11 18:26 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\vlc
2016-04-10 22:23 - 2009-07-14 07:13 - 00786766 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-10 22:23 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2016-04-10 22:21 - 2015-11-14 15:01 - 00000000 ____D C:\Users\ndjokic\Desktop\sb vid
2016-04-10 22:19 - 2015-11-14 13:15 - 00000000 ____D C:\Users\ndjokic\Desktop\screenrec
2016-04-10 11:01 - 2014-04-23 06:45 - 00003370 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-132009455-2026092721-3990303557-1000
2016-04-10 11:01 - 2014-04-23 06:45 - 00003240 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-132009455-2026092721-3990303557-1000
2016-04-10 07:52 - 2014-08-19 11:19 - 00003348 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-132009455-2026092721-3990303557-1000
2016-04-10 07:52 - 2014-08-19 11:19 - 00003218 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-132009455-2026092721-3990303557-1000
2016-04-10 07:52 - 2012-12-31 19:09 - 00000000 ____D C:\Users\ndjokic\AppData\Local\TSVNCache
2016-04-10 07:51 - 2012-10-11 14:18 - 00000000 ____D C:\ProgramData\VMware
2016-04-10 07:51 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-08 00:15 - 2016-03-01 16:26 - 00001023 _____ C:\Users\ndjokic\Desktop\fabdoublegav.ahk
2016-04-08 00:15 - 2016-02-18 20:31 - 00001045 _____ C:\Users\ndjokic\Desktop\fabgav.ahk
2016-04-08 00:15 - 2016-02-17 17:35 - 00001015 _____ C:\Users\ndjokic\Desktop\fab.ahk
2016-04-08 00:15 - 2016-01-23 22:00 - 00000993 _____ C:\Users\ndjokic\Desktop\dw autoswitch.ahk
2016-04-08 00:14 - 2016-01-27 17:41 - 00001130 _____ C:\Users\ndjokic\Desktop\fab old.ahk
2016-04-08 00:14 - 2015-09-22 23:19 - 00000469 _____ C:\Users\ndjokic\Desktop\dw.ahk
2016-04-07 14:53 - 2015-12-26 17:33 - 00009843 _____ C:\Users\ndjokic\Documents\NetUptime.txt
2016-04-04 15:44 - 2014-02-17 15:18 - 00000000 ____D C:\Users\ndjokic\Desktop\stuff
2016-04-04 10:57 - 2015-08-22 17:07 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\Jitsi
2016-04-04 10:57 - 2015-08-22 17:07 - 00000000 ____D C:\Users\ndjokic\AppData\Local\Jitsi
2016-04-02 13:02 - 2013-02-25 05:00 - 00000000 ____D C:\Users\ndjokic\Desktop\permutation stuff
2016-04-01 14:47 - 2015-05-09 20:11 - 00005753 _____ C:\Users\ndjokic\Desktop\task ideas.txt
2016-03-28 12:29 - 2012-09-15 12:29 - 00000000 ____D C:\Users\ndjokic\AppData\Local\VirtualStore
2016-03-26 11:09 - 2014-07-12 00:24 - 00000000 ____D C:\ProgramData\Package Cache
2016-03-22 12:12 - 2015-11-22 14:59 - 00000000 ____D C:\Users\ndjokic\AppData\Local\CrashDumps
2016-03-20 11:33 - 2013-06-29 04:46 - 00000000 ____D C:\Users\ndjokic\AppData\Local\Adobe
2016-03-20 11:32 - 2012-09-20 11:32 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-03-20 11:32 - 2012-09-20 11:32 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2015-02-04 16:54 - 2015-05-11 21:40 - 0001042 _____ () C:\Users\ndjokic\AppData\Roaming\SpeedRunnersLog.txt
2015-02-27 00:29 - 2015-02-27 00:29 - 0000335 _____ () C:\Users\ndjokic\AppData\Local\Perfmon.PerfmonCfg
2012-10-08 13:00 - 2012-10-08 13:13 - 0000600 _____ () C:\Users\ndjokic\AppData\Local\PUTTY.RND
2013-03-30 21:45 - 2015-10-27 18:20 - 0007635 _____ () C:\Users\ndjokic\AppData\Local\Resmon.ResmonCfg
2015-03-21 11:50 - 2015-03-21 11:50 - 0000000 _____ () C:\Users\ndjokic\AppData\Local\{98C9AFB2-5902-4A3A-B059-FE3063B0560A}

Some files in TEMP:
====================
C:\Users\ndjokic\AppData\Local\Temp\ads.exe
C:\Users\ndjokic\AppData\Local\Temp\appstart.exe
C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe
C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll
C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll
C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll
C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll
C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe
C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-08 00:47

==================== End of FRST.txt ============================
Juliet
2016-04-15, 00:52
Hi

Running from C:\Users\ndjokic\Desktop\av\frst

It's best we move Farbar's to desktop.

Please go to your desktop, locate the folder av\frst, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CreateRestorePoint:
CloseProcesses:
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-27] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-27] (Oracle Corporation)
FF NewTab: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
FF DefaultSearchEngine: yessearches
FF DefaultSearchEngine.US: data:text/plain,browser.search.defaultenginename.US=yessearches
FF SelectedSearchEngine: yessearches
FF Homepage: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
FF Keyword.URL: hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q=
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: ubisoft.com/uplaypc -> C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll [No File]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml [2015-11-30]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml [2016-04-13]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml [2015-11-30]
CHR HomePage: Default -> hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE..
CHR StartupUrls: Default -> "hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE.."
CHR DefaultSearchURL: Default -> hxxp://www.yessearches.com/chrome.php?q={searchTerms}&ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=nnnb
CHR DefaultSearchKeyword: Default -> yessearches
C:\Users\ndjokic\AppData\Local\Temp\ads.exe
C:\Users\ndjokic\AppData\Local\Temp\appstart.exe
C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe
C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll
C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll
C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll
C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll
C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe
C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe
CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
ShortcutWithArgument: C:\Users\ndjokic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KGS Online\CGoban 3.lnk -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://files.gokgs.com/javaBin/cgoban.jnlp "C:\Users\ndjokic\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\21086f76-383a84fa"
EmptyTemp:
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~

http://i.imgur.com/BY4dvz9.png AdwCleaner

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and save the file to your Desktop.
Right-click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click http://i.imgur.com/6cyn5v5.png Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.[/*]
Click [img=http://i.imgur.com/MqHawIb.png] Clean.
Follow the prompts and allow your computer to reboot.
After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

[i]-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[S1].txt.

======================================================

http://s24.photobucket.com/user/ken545/media/Capture_zpsge1t2tk9.jpg
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


~~~~~~~~~~
please post
Fixlog.txt
AdwCleaner[C1].txt
JRT.txt
W4yneb0t
2016-04-15, 01:32
After the second restart, Chrome asked for admin rights, which I didn't give. Logs are attached.

Fix result of Farbar Recovery Scan Tool (x64) Version:13-04-2016
Ran by ndjokic (2016-04-14 23:55:37) Run:1
Running from C:\Users\ndjokic\Desktop
Loaded Profiles: ndjokic (Available Profiles: ndjokic)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-27] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-27] (Oracle Corporation)
FF NewTab: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
FF DefaultSearchEngine: yessearches
FF DefaultSearchEngine.US: data:text/plain,browser.search.defaultenginename.US=yessearches
FF SelectedSearchEngine: yessearches
FF Homepage: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
FF Keyword.URL: hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q=
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: ubisoft.com/uplaypc -> C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll [No File]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml [2015-11-30]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml [2016-04-13]
FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml [2015-11-30]
CHR HomePage: Default -> hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE..
CHR StartupUrls: Default -> "hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE.."
CHR DefaultSearchURL: Default -> hxxp://www.yessearches.com/chrome.php?q={searchTerms}&ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=nnnb
CHR DefaultSearchKeyword: Default -> yessearches
C:\Users\ndjokic\AppData\Local\Temp\ads.exe
C:\Users\ndjokic\AppData\Local\Temp\appstart.exe
C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe
C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll
C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll
C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll
C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll
C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll
C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe
C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe
CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
ShortcutWithArgument: C:\Users\ndjokic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KGS Online\CGoban 3.lnk -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://files.gokgs.com/javaBin/cgoban.jnlp "C:\Users\ndjokic\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\21086f76-383a84fa"
EmptyTemp:
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
Firefox "newtab" removed successfully
Firefox DefaultSearchEngine removed successfully
Firefox DefaultSearchEngine.US removed successfully
Firefox SelectedSearchEngine removed successfully
Firefox "homepage" removed successfully
Firefox "Keyword.URL" removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully
"HKU\S-1-5-21-132009455-2026092721-3990303557-1000\Software\MozillaPlugins\ubisoft.com/uplaypc" => key removed successfully
C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll => not found.
C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml => moved successfully
C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml => moved successfully
C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml => moved successfully
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
C:\Users\ndjokic\AppData\Local\Temp\ads.exe => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\appstart.exe => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe => moved successfully
C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe => moved successfully
"HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully
"HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}" => key removed successfully
C:\Users\ndjokic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KGS Online\CGoban 3.lnk => Shortcut argument removed successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Reseting Subinterface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Reseting Subinterface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{F03E6C1B-4428-485F-858A-FA3F5FDB81F7} canceled.
{E407E379-3CBF-4F4A-9A5A-9776239947AC} canceled.
{342835C6-555E-4066-B2C3-42A3945E59BD} canceled.
{F21B83B3-6263-4E7C-9F16-DE070237D9BD} canceled.
{15CA46E8-4B57-4AAE-96C6-7DCF51BE6E3C} canceled.
{F55A5BC3-F0E9-4DBC-A6FB-7DF3B89731B5} canceled.
{DF846CD4-0F0F-4EF6-A3E7-CC6B249FB3C8} canceled.
{663D8B13-AC1B-48A3-BEAC-08A0726C1C49} canceled.
{48761FE8-109B-46B7-AF2E-96339A436285} canceled.
{E9222F95-F650-440B-BD2A-EED2241D7E86} canceled.
{998E4FE0-5037-4A3F-A190-41356C42296C} canceled.
{4542AEA9-1C8D-4A07-90AD-BF847203AB65} canceled.
{C91365FF-BF09-46E0-9CCC-F5A74B5D0FF3} canceled.
{905B56DD-BB49-4129-B8EB-9A977C0E67B7} canceled.
{347CC6D8-DF6F-4B11-B630-82B7C61DD688} canceled.
{30767824-4D8E-4049-8D1D-7AC14DA8BB38} canceled.
{891B3B12-3406-4977-8C7C-FE2AF22AAA47} canceled.
{09B00465-DC55-481C-9DC0-6FEB85CFF24A} canceled.
{11BDEDA0-4A77-447A-826F-725CD06F6D3F} canceled.
{147096D6-09D8-4F9F-9D67-1924436DEA90} canceled.
20 out of 20 jobs canceled.

========= End of CMD: =========


========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========

EmptyTemp: => 8.6 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 23:57:41 ====






# AdwCleaner v5.111 - Logfile created 15/04/2016 at 00:08:39
# Updated 14/04/2016 by Xplode
# Database : 2016-04-11.4 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (X64)
# Username : ndjokic - NDJOKIC-PC
# Running from : C:\Users\ndjokic\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\YourGSearchFinder_br

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}
[-] Key Deleted : HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}
[-] Key Deleted : HKCU\Software\OCS
[-] Key Deleted : HKLM\SOFTWARE\yessearchesSoftware
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{69168FDA-9A00-4BF6-979E-D9BE7DCAAAC4}

***** [ Web browsers ] *****

[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\prefs.js] Deleted : user_pref("keyword.URL", "hxxps://ch.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=435371&p=");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("browser.search.searchengine.hp", "hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffsengext");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("browser.search.searchengine.sp", "hxxp://www.yessearches.com/chrome.php?mode=ffsengext&ptid=wak&q={searchTerms}&ts=AHEqA3IsA30qCE..&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("browser.search.searchengine.url", "hxxp://www.yessearches.com/chrome.php?mode=ffsengext&ptid=wak&q={searchTerms}&ts=AHEqA3IsA30qCE..&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.mywebsearch.prevKwdEnabled", true);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.BUTTON_STRUCTURE", "[{"b":224520315,"c":"mindspark.magnify","p":"L.0"},{"b":224520316,"c":"mindspark.entersearchterms","p":"L.0.0[...]
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.browser.version.last", "42.0");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.firstKnownVersion", "7.38.8.45986");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.homepage", "/index.jhtml?n=782a596a");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.hp.enabled", true);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.hp.guardType", "HPR");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.initialized", true);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.installation.installDate", "2016041322");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.installation.success", true);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.lastActivePing", "1460580564460");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.lastKnownVersion", "7.38.8.45986");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.lssState", "{"previousLocales":["en-US","en"],"supportedLocales":["de","es","pt","ja","en"],"defaultLocale":"en","supportedLo[...]
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.defaultSearch", false);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.homePageEnabled", false);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.keywordEnabled", true);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.tabEnabled", false);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.productDeliveryOption.language", "en");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.productDeliveryOption.type", "Toolbar");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.successUrl", "hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q[...]
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.toolbarCollapsed", false);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.uninstallTasks", "{"prefBranchesToDelete":["extensions.toolbar.mindspark._brMembers_."],"filesToDelete":["C:\\\\Users\\\\ndjokic\\\\AppData\\[...]
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "yourGSearchfinder@GSearch.com");
[-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "yourGSearchfinder@GSearch.com");

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared
:: Chrome preferences reset : C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [7353 bytes] - [15/04/2016 00:08:39]
C:\AdwCleaner\AdwCleaner[S1].txt - [7340 bytes] - [15/04/2016 00:05:31]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [7499 bytes] ##########





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Professional x64
Ran by ndjokic (Administrator) on 15/04/2016 at 0:17:15.97
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 15

Successfully deleted: C:\ProgramData\Start Menu\Programs\(default) (Folder)
Successfully deleted: C:\Users\ndjokic\AppData\Roaming\3909 (Folder)
Successfully deleted: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi (File)
Successfully deleted: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi (File)
Successfully deleted: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\searchplugins\yahoo_ff.xml (File)
Successfully deleted: C:\Users\ndjokic\AppData\Roaming\speedrunnerslog.txt (File)
Successfully deleted: C:\Windows\chromebrowser.exe (File)
Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FIYZ7QI (Temporary Internet Files Folder)
Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6C7HJ9I5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\72BPMKMX (Temporary Internet Files Folder)
Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPZVFHFF (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FIYZ7QI (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6C7HJ9I5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\72BPMKMX (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPZVFHFF (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15/04/2016 at 0:23:11.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Juliet
2016-04-15, 03:19
Please run this security check.

Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe).
or these 2 other sites.
http://rocketgrannie.spywareinfoforum.org/SecurityCheck.exe
http://www.bleepingcomputer.com/download/securitycheck/


Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.


~~~~~~~~~~~~~~~~~~~`

Download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) TO YOUR DESKTOP




Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"




http://i24.photobucket.com/albums/c30/ken545/0841859c-1a35-4dbd-b41a-e720629e3e22_zpst0yckuua.png



On the Dashboard click on Update Now

Go to the Setting Tab

Under Setting go to Detection and Protection

Under PUP and PUM make sure both are set to show Treat Detections as Malware

Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked

Then on the Dashboard click on Scan

Make sure to select THREAT SCAN

Then click on Scan


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply

Exit Malwarebytes


~~~~~~~~~~~~~

After running the above 2 scans please give me an update on how the computer is now.
W4yneb0t
2016-04-15, 12:53
I had a problem with Malwarebytes: on the dashboard, I clicked "scan now" (there's no "scan" on the dashboard), but that didn't ask me whether to do a "threat scan" or something else, it just started. So I canceled that scan, then went into the "scan" menu (not dashboard), where I could choose "threat scan", and proceeded with that. Now, in the history tab, there's only a scan log from the scan that was canceled after a few seconds, not from the one that finished. That one quarantined about 3400 items, some of which were related to yessearches, but its log is just missing.

I don't see any symptoms of an infection at the moment, thanks for your help.



Results of screen317's Security Check version 1.014 --- 12/23/15
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Java 8 Update 25
Java version 32-bit out of Date!
Adobe Flash Player 21.0.0.182
Mozilla Firefox (42.0)
Mozilla Thunderbird 17.0.3 Thunderbird out of Date!
Google Chrome (49.0.2623.110)
Google Chrome (49.0.2623.112)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
Juliet
2016-04-15, 19:32
quarantined about 3400 items,
Thats amazing and kinda concerning

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java

Please read this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/) about Java.

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))

If you do need to keep Java then download JavaRa (https://singularlabs.com/software/javara/javara-download/)
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime &gt; Download and install Latest version.

Java (http://java.com/en/download/index.jsp) <-- latest version, (watch out for "Optional Offers" or bundled software)

~~~~~~~~~~~~~~~

Let's run one more quick scan with MBAM, this one should show up in the logs and hopefully it finds nothing.

Open MBAM

On the Dashboard click on Update Now
If any updates are found allow them to be downloaded and installed.

Next
Then on the Dashboard click on Scan

Make sure to select THREAT SCAN

Then click on Scan

When completed


http://i24.photobucket.com/albums/c30/ken545/MBAM%20Application_zps7zm0ftdm.png (http://s24.photobucket.com/user/ken545/media/MBAM%20Application_zps7zm0ftdm.png.html)

Open up Malwarebytes and you will be on the Dashboard
Click on the History Tab
Then click on Application Logs
Double click on the SCAN LOG (Not Protection Log ) you just ran

Then click on Export
On the drop down list click on Copy to Clipboard
Then paste the log back into this thread

~~~~~~~~~~~~~~~~~~~~~~~`

What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.



http://i.imgur.com/GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

Please download ESET Online Scan (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe) and save the file to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/).
Double-click esetsmartinstaller_enu.exe to run the programme.
Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
Agree to the Terms of Use once more and click Start. Allow components to download.
Place a checkmark next to Enable detection of potentially unwanted applications.
Click Advanced settings. Place a checkmark next to:

Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology


Ensure Remove found threats is unchecked.
Click Start.
Wait for the scan to finish. Please be patient as this can take some time.
Upon completion, click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png. If no threats were found, skip the next two bullet points.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
Push the Back button.
Place a checkmark next to http://i.imgur.com/KN1w2nv.png and click http://i.imgur.com/SzOC1p0.png.
Re-enable your anti-virus software.
Copy the contents of the log and paste in your next reply.




Also, can you give me an update on how the computer is at the moment.
W4yneb0t
2016-04-16, 02:55
There's something strange about MBAM logs. This time MBAM quarantined 4 items, but the log says 0 everywhere. There are no symptoms of an infection, other than what the various AV tools are reporting.



Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 15/04/2016
Scan Time: 21:53
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.04.15.05
Rootkit Database: v2016.04.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: ndjokic

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 363498
Time Elapsed: 18 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)






C:\comics\The Far Side\Far Side\Install to view cbr files.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\FRST\Quarantine\C\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe.xBAD a variant of Win32/IStartSurf.R potentially unwanted application
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar a variant of Win32/Packed.VMProtect.ABD trojan
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll a variant of Win32/Packed.VMProtect.ABD trojan
C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso a variant of Win32/HackTool.Crack.CC potentially unsafe application
C:\games\Rayman Legends i1\steam_api.dll a variant of Win32/HackTool.Crack.BQ potentially unsafe application
C:\games\Rayman Legends i1\uplay_r1.dll Win32/HackTool.Crack.DG potentially unsafe application
C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso a variant of Win32/HackTool.Crack.BQ potentially unsafe application
C:\games\Speedrunners\steam_api.dll a variant of Win32/HackTool.Crack.DW potentially unsafe application
C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll a variant of Win32/HackTool.Crack.DW potentially unsafe application
C:\games\The Witness\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
C:\games\The Witness\steam_api64.dll a variant of Win64/HackTool.Crack.F potentially unsafe application
C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso a variant of Win32/HackTool.Crack.CS potentially unsafe application
C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe a variant of Win32/Keygen.AN potentially unsafe application
C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe a variant of Win32/Keygen.AN potentially unsafe application
C:\old stuff\red stick\sct\Generateur de clef\keygen.exe a variant of Win32/Keygen.AN potentially unsafe application
C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application
C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application
C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
Juliet
2016-04-16, 15:25
Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.
If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.
I strongly recommend you refrain from participating in this activity; your computer will be repeatedly infected otherwise. Simply visiting a cracked software site can result in infection via drive-by exploits of vulnerable software.
Additionally, cracked programs are illegal.

Forum Policy
I strongly suggest you remove any cracked software that is installed, we do not approve nor will we provide support in the future for problems produced because of illegal software.

~~~~~~~~~~~~~~~~~~~~~
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CreateRestorePoint:
CloseProcesses:

C:\comics\The Far Side\Far Side\Install to view cbr files.exe
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll
C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso
C:\games\Rayman Legends i1\steam_api.dll
C:\games\Rayman Legends i1\uplay_r1.dll
C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso
C:\games\Speedrunners\steam_api.dll
C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll
C:\games\The Witness\steam_api.dll
C:\games\The Witness\steam_api64.dll
C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso
C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe
C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe
C:\old stuff\red stick\sct\Generateur de clef\keygen.exe
C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe
C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat
C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll
EmptyTemp:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~

After running the above script, please run MBAM again.
Before the window closes can you type down the name of what it finds so I can see what was detected?
W4yneb0t
2016-04-16, 19:17
MBAM found 3 threats, and the scan log is again simply missing. FRST couldn't remove a .iso because it was in use, apologies, shall I remove it manually? Here's what MBAM found:

PUP.Optional.Yessearches - Potentially Unwanted Program - Registry Value - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A6D93872-315E-4DF6-B008-AEC4266537C0}|Path

PUP.Optional.Yessearches - Potentially Unwanted Program - Registry Key - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A6D93872-315E-4DF6-B008-AEC4266547C0}

PUP.Optional.Yessearches - Potentially Unwanted Program - Registry Key - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Ninight Collector



Fix result of Farbar Recovery Scan Tool (x64) Version:13-04-2016
Ran by ndjokic (2016-04-16 17:14:03) Run:2
Running from C:\Users\ndjokic\Desktop
Loaded Profiles: ndjokic (Available Profiles: ndjokic)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:

C:\comics\The Far Side\Far Side\Install to view cbr files.exe
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll
C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso
C:\games\Rayman Legends i1\steam_api.dll
C:\games\Rayman Legends i1\uplay_r1.dll
C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso
C:\games\Speedrunners\steam_api.dll
C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll
C:\games\The Witness\steam_api.dll
C:\games\The Witness\steam_api64.dll
C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso
C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe
C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe
C:\old stuff\red stick\sct\Generateur de clef\keygen.exe
C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe
C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat
C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll
EmptyTemp:
End

*****************

Restore point was successfully created.
Processes closed successfully.
C:\comics\The Far Side\Far Side\Install to view cbr files.exe => moved successfully
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar => moved successfully
C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll => moved successfully
C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso => moved successfully
C:\games\Rayman Legends i1\steam_api.dll => moved successfully
C:\games\Rayman Legends i1\uplay_r1.dll => moved successfully
C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso => moved successfully
C:\games\Speedrunners\steam_api.dll => moved successfully
C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll => moved successfully
C:\games\The Witness\steam_api.dll => moved successfully
C:\games\The Witness\steam_api64.dll => moved successfully
Could not move "C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso" => Scheduled to move on reboot.
C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe => moved successfully
C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe => moved successfully
C:\old stuff\red stick\sct\Generateur de clef\keygen.exe => moved successfully
C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe => moved successfully
C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat => moved successfully
C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll => moved successfully
EmptyTemp: => 738.7 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-04-16 17:17:18)

"C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso" => Could not move

==== End of Fixlog 17:17:19 ====
Juliet
2016-04-16, 20:15
FRST couldn't remove a .iso because it was in use, apologies, shall I remove it manually?

Yes.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CreateRestorePoint:
CloseProcesses:
Task: {A6D93872-315E-4DF6-B008-AEC4266537C0} - System32\Tasks\Ninight Collector => C:\Program Files (x86)\Ninight\NngCollector.exe [2016-04-12] ()
EmptyTemp:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

What issues remain?
W4yneb0t
2016-04-17, 01:00
I removed it manually. No issues or symptoms visible to the naked eye.



Fix result of Farbar Recovery Scan Tool (x64) Version:13-04-2016
Ran by ndjokic (2016-04-16 23:45:33) Run:3
Running from C:\Users\ndjokic\Desktop
Loaded Profiles: ndjokic (Available Profiles: ndjokic)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
Task: {A6D93872-315E-4DF6-B008-AEC4266537C0} - System32\Tasks\Ninight Collector => C:\Program Files (x86)\Ninight\NngCollector.exe [2016-04-12] ()
EmptyTemp:
End

*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A6D93872-315E-4DF6-B008-AEC4266537C0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6D93872-315E-4DF6-B008-AEC4266537C0}" => key removed successfully
C:\Windows\System32\Tasks\Ninight Collector => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ninight Collector" => key removed successfully
EmptyTemp: => 324.5 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 23:46:14 ====
Juliet
2016-04-17, 01:46
No issues or symptoms visible to the naked eye

Music to my ears.


http://i.imgur.com/AFZxnZc.jpg DelFix

Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.

Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:

Activate UAC
Remove disinfection tools



Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).


~~~~~~~~~~~~~~~


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


AdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://i.imgur.com/6YRrgUC.png Malwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://i.imgur.com/jv4nhMJ.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://i.imgur.com/DgW1XL2.png Secunia PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://i.imgur.com/j1OLIec.png SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://i.imgur.com/sHjS79L.png Unchecky (http://unchecky.com/) automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
http://i.imgur.com/JEP5iWI.png Web of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.



Want to help others? Join the ClassRoom (http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html) and learn how.
W4yneb0t
2016-04-17, 02:11
Alright, thanks <3
Juliet
2016-04-17, 13:56
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.