Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: yessearches and wajam virus

  1. #1
    Junior Member
    Join Date
    Apr 2010
    Posts
    20

    Default yessearches and wajam virus

    I ran a .exe from an untrusted source after scanning it with MSE and receiving a "no threats found". Immediately after running it, my user account settings were changed to never ask for permission before doing admin things, my browser homepage was set to yessearches, the programs yessearches and wajam appeared in the control panel programs list, and a bunch of gibberish-named processes appeared in the task manager. I manually removed both programs in control panel, closed the processes and reset the account settings. I also deleted the offending .exe, but I can't seem to remove its containing folder because it's "in use". I didn't reboot the PC. I used tweaking, FRST and aswmbr as instructed. In FRST, there was no "all users" checkbox. Addition.txt was too large to attach despite having the 3 things unchecked as the instructions said, so I split it up.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-04-2016
    Ran by ndjokic (administrator) on NDJOKIC-PC (13-04-2016 23:09:58)
    Running from C:\Users\ndjokic\Desktop\av\frst
    Loaded Profiles: ndjokic (Available Profiles: ndjokic)
    Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
    (AMD) C:\Windows\System32\atiesrxx.exe
    (AMD) C:\Windows\System32\atieclxx.exe
    (VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
    (VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
    (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
    (Logitech Inc.) C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (hxxp://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    (Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
    (TechSmith Corporation) C:\Program Files (x86)\Camtasia\TscHelp.exe
    (hxxp://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    (Gorenie) C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
    (PortableApps.com) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\ChromiumPortable.exe
    (The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe
    (The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe
    (The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe
    (The Chromium Authors & Aluísio Augusto Silva Gonçalves) C:\Users\ndjokic\Desktop\multibox\StarBreakMultibox\App\Chromium\64\chrome.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [835072 2011-01-27] (IDT, Inc.)
    HKLM\...\Run: [Start WingMan Profiler] => C:\Program Files\Logitech\Gaming Software\LWEMon.exe [190536 2010-06-14] (Logitech Inc.)
    HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2804976 2013-10-30] (Synaptics Incorporated)
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [3825176 2012-11-13] (Safer-Networking Ltd.)
    HKLM-x32\...\Run: [chromebrowser] => "C:\Windows\chromebrowser.exe"
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [3713032 2012-11-13] (Safer-Networking Ltd.)
    HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\MountPoints2: {6a70d0d2-ff26-11e1-b4b9-806e6f6e6963} - F:\SWSETUP\APPINSTL\hpsoftwaresetup.exe
    HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\MountPoints2: {daf1934d-3319-11e2-b636-930c393050a1} - H:\setup.exe
    HKU\S-1-5-21-132009455-2026092721-3990303557-1000\...\MountPoints2: {f21576c4-3c71-11e2-9a04-402cf41c83ea} - G:\autorun\autorun.exe
    ShellIconOverlayIdentifiers: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    ShellIconOverlayIdentifiers-x32: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
    BootExecute: autocheck autochk * sdnclean64.exe

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 62.2.17.60 62.2.24.162 62.2.17.61 62.2.24.158
    Tcpip\..\Interfaces\{578D35C4-7A6D-4670-80A2-46D787BCE321}: [DhcpNameServer] 62.2.17.60 62.2.24.162 62.2.17.61 62.2.24.158
    Tcpip\..\Interfaces\{FF11C6AE-3BBF-47EC-ADA4-DDC7154832BE}: [DhcpNameServer] 7.254.254.254

    Internet Explorer:
    ==================
    HKU\S-1-5-21-132009455-2026092721-3990303557-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ch.search.yahoo.com/?type=435371&fr=spigot-yhp-ie
    SearchScopes: HKU\S-1-5-21-132009455-2026092721-3990303557-1000 -> {69168FDA-9A00-4BF6-979E-D9BE7DCAAAC4} URL = hxxps://ch.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=435371&p={searchTerms}
    BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-27] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-27] (Oracle Corporation)

    FireFox:
    ========
    FF ProfilePath: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1
    FF NewTab: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
    FF DefaultSearchEngine: yessearches
    FF DefaultSearchEngine.US: data:text/plain,browser.search.defaultenginename.US=yessearches
    FF SelectedSearchEngine: yessearches
    FF Homepage: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
    FF Keyword.URL: hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q=
    FF NetworkProxy: "autoconfig_url", "http://r-1.ch/twitch.pac"
    FF NetworkProxy: "socks_remote_dns", true
    FF NetworkProxy: "type", 0
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_182.dll [2016-03-20] ()
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-20] ()
    FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1203133.dll [2013-06-26] (Adobe Systems, Inc.)
    FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
    FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-12-27] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-12-27] (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
    FF Plugin-x32: @real.com/nppl3260;version=16.0.3.51 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll [2013-08-30] (RealNetworks, Inc.)
    FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
    FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
    FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
    FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-15] (RealNetworks, Inc.)
    FF Plugin-x32: @real.com/nprpplugin;version=16.0.3.51 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll [2013-08-30] (RealPlayer)
    FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\ndjokic\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-08-30] (Unity Technologies ApS)
    FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: ubisoft.com/uplaypc -> C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll [No File]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml [2015-11-30]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml [2016-04-13]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml [2015-11-30]
    FF Extension: Rehost Image - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\rehostimage@engy.us.xpi [2016-01-22]
    FF Extension: Classic Theme Restorer - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-04-10]
    FF Extension: ChatZilla - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2016-04-13]
    FF Extension: FoxyProxy Standard - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\foxyproxy@eric.h.jung [2016-04-13]
    FF Extension: Classic Theme Restorer - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-04-10]
    FF Extension: ReChat for Twitch™ - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\firefox@rechat.org.xpi [2015-05-29]
    FF Extension: FoxyProxy Standard - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\foxyproxy@eric.h.jung [2016-02-18]
    FF Extension: YouTube Center - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\jid1-cwbvBTE216jjpg@jetpack.xpi [2015-05-29]
    FF Extension: Rehost Image - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\rehostimage@engy.us.xpi [2016-01-22]
    FF Extension: ChatZilla - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2015-10-27]
    FF Extension: Adblock Plus - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-23]
    FF Extension: Team Liquid Streams - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\Extensions\{db09811d-efff-4339-a548-8550c7238a30}.xpi [2015-05-29]
    FF Extension: GsearchFinder - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi [2016-04-12]
    FF Extension: ReChat for Twitch™ - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\firefox@rechat.org.xpi [2015-05-29]
    FF Extension: YouTube Center - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\jid1-cwbvBTE216jjpg@jetpack.xpi [2015-05-29]
    FF Extension: Adblock Plus - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-23]
    FF Extension: Team Liquid Streams - C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\{db09811d-efff-4339-a548-8550c7238a30}.xpi [2015-05-29]
    FF HKLM-x32\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
    FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-08-30] [not signed]

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE..
    CHR StartupUrls: Default -> "hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE.."
    CHR DefaultSearchURL: Default -> hxxp://www.yessearches.com/chrome.php?q={searchTerms}&ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=nnnb
    CHR DefaultSearchKeyword: Default -> yessearches
    CHR Profile: C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Docs) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-05]
    CHR Extension: (Google Drive) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
    CHR Extension: (YouTube) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-05]
    CHR Extension: (Adblock for Youtube™) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2016-03-13]
    CHR Extension: (Google Search) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
    CHR Extension: (Tampermonkey) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-04-12]
    CHR Extension: (Custom Zoom) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\flacjbeghjebdkbgdlncibepomldoebh [2016-02-08]
    CHR Extension: (AdBlock) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-03-18]
    CHR Extension: (RealDownloader) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2015-08-05]
    CHR Extension: (Google Hangouts) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2016-03-18]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
    CHR Extension: (Gmail) - C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-05]
    CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S2 BugreportW; C:\Program Files (x86)\yesbnd\mbat.exe [990336 2016-04-12] ()
    S2 FedaryqeuleServerSrv; C:\Program Files (x86)\Fedaryqeule\FedaryqeuleServerSrv.exe [315872 2016-04-12] ()
    S4 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [281656 2011-01-28] (Hewlett-Packard Company)
    S4 ImDskSvc; C:\Windows\system32\imdsksvc.exe [11264 2012-07-30] (Olof Lagerkvist) [File not signed]
    S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
    R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
    R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
    S4 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
    S4 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2009-10-20] (CACE Technologies, Inc.)
    S4 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
    S4 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
    S4 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
    S4 TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [762320 2014-11-04] (Tunngle.net GmbH) [File not signed]
    S4 VMAuthdService; C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe [79872 2012-08-15] (VMware, Inc.) [File not signed]
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 AWEAlloc; C:\Windows\System32\DRIVERS\awealloc.sys [18384 2012-02-16] (Olof Lagerkvist)
    S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
    R2 ImDisk; C:\Windows\System32\DRIVERS\imdisk.sys [38416 2012-07-30] (Olof Lagerkvist)
    R0 johci; C:\Windows\System32\DRIVERS\johci.sys [26712 2011-01-18] (JMicron Technology Corp.)
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
    R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
    R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
    R2 NPF; C:\Windows\System32\drivers\npf.sys [47632 2009-10-20] (CACE Technologies, Inc.)
    R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1826048 2010-12-21] ()
    S3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-16] (Tunngle.net)
    S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [105816 2012-09-13] (Oracle Corporation)
    R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [31384 2012-08-15] (VMware, Inc.)
    R0 vsock; C:\Windows\System32\drivers\vsock.sys [70256 2012-07-06] (VMware, Inc.)
    S3 ALSysIO; \??\C:\Users\ndjokic\AppData\Local\Temp\ALSysIO64.sys [X]
    S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-04-13 23:08 - 2016-04-13 23:09 - 00000000 ____D C:\FRST
    2016-04-13 23:03 - 2016-04-13 23:03 - 00000207 _____ C:\Windows\tweaking.com-regbackup-NDJOKIC-PC-Windows-7-Professional-(64-bit).dat
    2016-04-13 23:02 - 2016-04-13 23:10 - 00000000 ____D C:\Users\ndjokic\Desktop\av
    2016-04-13 22:41 - 2016-04-13 22:48 - 00000000 ____D C:\Program Files (x86)\yesbnd
    2016-04-13 22:41 - 2016-04-13 22:42 - 00000000 ____D C:\Users\ndjokic\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108
    2016-04-13 22:41 - 2016-04-13 22:41 - 00014686 _____ C:\Windows\System32\Tasks\Fedaryqeule Server
    2016-04-13 22:41 - 2016-04-13 22:41 - 00014508 _____ C:\Windows\System32\Tasks\Ninight Collector
    2016-04-13 22:41 - 2016-04-13 22:41 - 00000000 ____D C:\Program Files (x86)\Ninight
    2016-04-13 22:41 - 2016-04-13 22:41 - 00000000 ____D C:\Program Files (x86)\Fedaryqeule
    2016-04-13 22:40 - 2016-04-13 22:41 - 00000000 ____D C:\Users\Public\Documents\dmp
    2016-04-13 22:40 - 2016-04-13 22:40 - 02614035 _____ C:\Windows\chromebrowser.exe
    2016-04-10 22:19 - 2016-04-10 23:40 - 00000000 ____D C:\Users\ndjokic\Desktop\fab ub tutorial
    2016-04-01 09:35 - 2016-04-01 09:35 - 00000137 _____ C:\Users\ndjokic\Desktop\Steambirds Alliance.url
    2016-03-30 22:53 - 2016-03-30 22:53 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\.mono
    2016-03-30 22:53 - 2016-03-30 22:53 - 00000000 ____D C:\Users\ndjokic\AppData\LocalLow\SpryFox
    2016-03-30 22:53 - 2016-03-30 22:53 - 00000000 ____D C:\ProgramData\.mono
    2016-03-28 12:02 - 2016-03-28 12:02 - 00000221 _____ C:\Users\ndjokic\Desktop\TrackMania Nations Forever.url
    2016-03-27 18:53 - 2016-04-13 22:03 - 00000000 ____D C:\Users\ndjokic\Documents\TrackMania
    2016-03-27 18:53 - 2016-03-28 12:25 - 00000000 ____D C:\ProgramData\TrackMania
    2016-03-26 11:09 - 2016-03-26 11:09 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\Crunchy Games
    2016-03-26 10:46 - 2016-03-26 10:46 - 00000222 _____ C:\Users\ndjokic\Desktop\StarBreak.url
    2016-03-23 17:25 - 2016-03-23 17:25 - 00085593 _____ C:\Users\ndjokic\Desktop\toocscraj.txt
    2016-03-23 17:09 - 2016-03-23 17:09 - 00001149 _____ C:\Users\ndjokic\Desktop\toocsp.txt
    2016-03-23 17:05 - 2016-03-23 17:05 - 00005648 _____ C:\Users\ndjokic\Desktop\toocscrdb.txt
    2016-03-16 11:54 - 2016-03-16 11:56 - 00000000 ____D C:\Users\ndjokic\Desktop\kb
    2016-03-14 02:08 - 2016-04-04 10:49 - 00000947 _____ C:\Users\ndjokic\Desktop\justalts.txt

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-04-13 23:10 - 2015-09-11 22:43 - 00017089 _____ C:\Users\ndjokic\Desktop\sb.txt
    2016-04-13 22:48 - 2015-08-05 16:34 - 00002068 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2016-04-13 22:48 - 2015-08-05 16:34 - 00002056 _____ C:\Users\Public\Desktop\Google Chrome.lnk
    2016-04-13 22:48 - 2014-07-23 15:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2016-04-13 22:48 - 2012-09-15 13:51 - 00001873 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2016-04-13 22:48 - 2012-09-15 13:51 - 00001861 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2016-04-13 22:48 - 2012-09-15 13:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2016-04-13 22:45 - 2012-09-15 16:09 - 00000000 ____D C:\games
    2016-04-13 22:43 - 2012-09-18 10:23 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\uTorrent
    2016-04-13 22:29 - 2014-07-03 21:29 - 00000000 ____D C:\Program Files (x86)\Steam
    2016-04-13 22:22 - 2009-07-14 06:45 - 00021680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-04-13 22:22 - 2009-07-14 06:45 - 00021680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-04-13 22:14 - 2014-01-27 21:49 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2016-04-13 21:46 - 2012-09-18 08:37 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\Skype
    2016-04-13 21:41 - 2015-04-18 17:50 - 00003229 _____ C:\Users\ndjokic\Desktop\calendar.txt
    2016-04-13 19:21 - 2014-01-27 21:49 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2016-04-13 19:01 - 2015-08-06 00:09 - 00000000 ____D C:\Users\ndjokic\Desktop\job stuff
    2016-04-13 18:58 - 2013-09-06 20:32 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\TS3Client
    2016-04-13 14:12 - 2015-05-05 14:14 - 00006812 _____ C:\Users\ndjokic\Desktop\todo coding.txt
    2016-04-13 13:35 - 2012-10-11 21:28 - 00000000 ____D C:\Users\ndjokic\.VirtualBox
    2016-04-12 01:00 - 2013-02-02 21:17 - 00000000 ____D C:\Users\ndjokic\Desktop\dls
    2016-04-11 21:41 - 2013-07-11 18:26 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\vlc
    2016-04-10 22:23 - 2009-07-14 07:13 - 00786766 _____ C:\Windows\system32\PerfStringBackup.INI
    2016-04-10 22:23 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
    2016-04-10 22:21 - 2015-11-14 15:01 - 00000000 ____D C:\Users\ndjokic\Desktop\sb vid
    2016-04-10 22:19 - 2015-11-14 13:15 - 00000000 ____D C:\Users\ndjokic\Desktop\screenrec
    2016-04-10 11:01 - 2014-04-23 06:45 - 00003370 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-132009455-2026092721-3990303557-1000
    2016-04-10 11:01 - 2014-04-23 06:45 - 00003240 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-132009455-2026092721-3990303557-1000
    2016-04-10 07:52 - 2014-08-19 11:19 - 00003348 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-132009455-2026092721-3990303557-1000
    2016-04-10 07:52 - 2014-08-19 11:19 - 00003218 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-132009455-2026092721-3990303557-1000
    2016-04-10 07:52 - 2012-12-31 19:09 - 00000000 ____D C:\Users\ndjokic\AppData\Local\TSVNCache
    2016-04-10 07:51 - 2012-10-11 14:18 - 00000000 ____D C:\ProgramData\VMware
    2016-04-10 07:51 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-04-08 00:15 - 2016-03-01 16:26 - 00001023 _____ C:\Users\ndjokic\Desktop\fabdoublegav.ahk
    2016-04-08 00:15 - 2016-02-18 20:31 - 00001045 _____ C:\Users\ndjokic\Desktop\fabgav.ahk
    2016-04-08 00:15 - 2016-02-17 17:35 - 00001015 _____ C:\Users\ndjokic\Desktop\fab.ahk
    2016-04-08 00:15 - 2016-01-23 22:00 - 00000993 _____ C:\Users\ndjokic\Desktop\dw autoswitch.ahk
    2016-04-08 00:14 - 2016-01-27 17:41 - 00001130 _____ C:\Users\ndjokic\Desktop\fab old.ahk
    2016-04-08 00:14 - 2015-09-22 23:19 - 00000469 _____ C:\Users\ndjokic\Desktop\dw.ahk
    2016-04-07 14:53 - 2015-12-26 17:33 - 00009843 _____ C:\Users\ndjokic\Documents\NetUptime.txt
    2016-04-04 15:44 - 2014-02-17 15:18 - 00000000 ____D C:\Users\ndjokic\Desktop\stuff
    2016-04-04 10:57 - 2015-08-22 17:07 - 00000000 ____D C:\Users\ndjokic\AppData\Roaming\Jitsi
    2016-04-04 10:57 - 2015-08-22 17:07 - 00000000 ____D C:\Users\ndjokic\AppData\Local\Jitsi
    2016-04-02 13:02 - 2013-02-25 05:00 - 00000000 ____D C:\Users\ndjokic\Desktop\permutation stuff
    2016-04-01 14:47 - 2015-05-09 20:11 - 00005753 _____ C:\Users\ndjokic\Desktop\task ideas.txt
    2016-03-28 12:29 - 2012-09-15 12:29 - 00000000 ____D C:\Users\ndjokic\AppData\Local\VirtualStore
    2016-03-26 11:09 - 2014-07-12 00:24 - 00000000 ____D C:\ProgramData\Package Cache
    2016-03-22 12:12 - 2015-11-22 14:59 - 00000000 ____D C:\Users\ndjokic\AppData\Local\CrashDumps
    2016-03-20 11:33 - 2013-06-29 04:46 - 00000000 ____D C:\Users\ndjokic\AppData\Local\Adobe
    2016-03-20 11:32 - 2012-09-20 11:32 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2016-03-20 11:32 - 2012-09-20 11:32 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

    ==================== Files in the root of some directories =======

    2015-02-04 16:54 - 2015-05-11 21:40 - 0001042 _____ () C:\Users\ndjokic\AppData\Roaming\SpeedRunnersLog.txt
    2015-02-27 00:29 - 2015-02-27 00:29 - 0000335 _____ () C:\Users\ndjokic\AppData\Local\Perfmon.PerfmonCfg
    2012-10-08 13:00 - 2012-10-08 13:13 - 0000600 _____ () C:\Users\ndjokic\AppData\Local\PUTTY.RND
    2013-03-30 21:45 - 2015-10-27 18:20 - 0007635 _____ () C:\Users\ndjokic\AppData\Local\Resmon.ResmonCfg
    2015-03-21 11:50 - 2015-03-21 11:50 - 0000000 _____ () C:\Users\ndjokic\AppData\Local\{98C9AFB2-5902-4A3A-B059-FE3063B0560A}

    Some files in TEMP:
    ====================
    C:\Users\ndjokic\AppData\Local\Temp\ads.exe
    C:\Users\ndjokic\AppData\Local\Temp\appstart.exe
    C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe
    C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
    C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll
    C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe
    C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-04-08 00:47

    ==================== End of FRST.txt ============================
    Attached Files Attached Files

  2. #2
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Hi

    Running from C:\Users\ndjokic\Desktop\av\frst

    It's best we move Farbar's to desktop.

    Please go to your desktop, locate the folder av\frst, right click and select CUT
    Go to an open spot on your desktop, right click and select PASTE
    You should now have Farbar Recovery Scan Tool on your desktop.


    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-27] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-27] (Oracle Corporation)
    FF NewTab: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
    FF DefaultSearchEngine: yessearches
    FF DefaultSearchEngine.US: data:text/plain,browser.search.defaultenginename.US=yessearches
    FF SelectedSearchEngine: yessearches
    FF Homepage: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
    FF Keyword.URL: hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q=
    FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
    FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: ubisoft.com/uplaypc -> C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll [No File]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml [2015-11-30]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml [2016-04-13]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml [2015-11-30]
    CHR HomePage: Default -> hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE..
    CHR StartupUrls: Default -> "hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE.."
    CHR DefaultSearchURL: Default -> hxxp://www.yessearches.com/chrome.php?q={searchTerms}&ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=nnnb
    CHR DefaultSearchKeyword: Default -> yessearches
    C:\Users\ndjokic\AppData\Local\Temp\ads.exe
    C:\Users\ndjokic\AppData\Local\Temp\appstart.exe
    C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe
    C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
    C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll
    C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe
    C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe
    CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
    ShortcutWithArgument: C:\Users\ndjokic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KGS Online\CGoban 3.lnk -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://files.gokgs.com/javaBin/cgoban.jnlp "C:\Users\ndjokic\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\21086f76-383a84fa"
    EmptyTemp:
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset all
    CMD: netsh int ipv4 reset
    CMD: netsh int ipv6 reset
    CMD: bitsadmin /reset /allusers
    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~~~

    AdwCleaner
    • Please download AdwCleaner and save the file to your Desktop.
    • Right-click AdwCleaner.exe and select Run as administrator to run the programme.
    • Follow the prompts.
    • Click [img=http://i.imgur.com/A49sxPr.png] Scan.
    • Upon completion, click Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
    • Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.[/*]
    • Click [img=http://i.imgur.com/MqHawIb.png] Clean.
    • Follow the prompts and allow your computer to reboot.
    • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[S1].txt.

    ======================================================


    Please download Junkware Removal Tool
    or from here http://downloads.malwarebytes.org/file/jrt
    to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    ~~~~~~~~~~
    please post
    Fixlog.txt
    AdwCleaner[C1].txt
    JRT.txt
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member
    Join Date
    Apr 2010
    Posts
    20

    Default

    After the second restart, Chrome asked for admin rights, which I didn't give. Logs are attached.

    Fix result of Farbar Recovery Scan Tool (x64) Version:13-04-2016
    Ran by ndjokic (2016-04-14 23:55:37) Run:1
    Running from C:\Users\ndjokic\Desktop
    Loaded Profiles: ndjokic (Available Profiles: ndjokic)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-27] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-27] (Oracle Corporation)
    FF NewTab: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
    FF DefaultSearchEngine: yessearches
    FF DefaultSearchEngine.US: data:text/plain,browser.search.defaultenginename.US=yessearches
    FF SelectedSearchEngine: yessearches
    FF Homepage: hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffseng
    FF Keyword.URL: hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q=
    FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
    FF Plugin HKU\S-1-5-21-132009455-2026092721-3990303557-1000: ubisoft.com/uplaypc -> C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll [No File]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml [2015-11-30]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml [2016-04-13]
    FF SearchPlugin: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml [2015-11-30]
    CHR HomePage: Default -> hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE..
    CHR StartupUrls: Default -> "hxxp://www.yessearches.com/?mode=nnnb&ptid=wak&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412&ts=AHEqA3IsA30qCE.."
    CHR DefaultSearchURL: Default -> hxxp://www.yessearches.com/chrome.php?q={searchTerms}&ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=nnnb
    CHR DefaultSearchKeyword: Default -> yessearches
    C:\Users\ndjokic\AppData\Local\Temp\ads.exe
    C:\Users\ndjokic\AppData\Local\Temp\appstart.exe
    C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe
    C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe
    C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll
    C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll
    C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe
    C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe
    CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\ndjokic\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
    ShortcutWithArgument: C:\Users\ndjokic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KGS Online\CGoban 3.lnk -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\javaws.exe (Oracle Corporation) -> -localfile -J-Djnlp.application.href=hxxp://files.gokgs.com/javaBin/cgoban.jnlp "C:\Users\ndjokic\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\21086f76-383a84fa"
    EmptyTemp:
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset all
    CMD: netsh int ipv4 reset
    CMD: netsh int ipv6 reset
    CMD: bitsadmin /reset /allusers
    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    End
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
    "HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
    "HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
    Firefox "newtab" removed successfully
    Firefox DefaultSearchEngine removed successfully
    Firefox DefaultSearchEngine.US removed successfully
    Firefox SelectedSearchEngine removed successfully
    Firefox "homepage" removed successfully
    Firefox "Keyword.URL" removed successfully
    "HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully
    "HKU\S-1-5-21-132009455-2026092721-3990303557-1000\Software\MozillaPlugins\ubisoft.com/uplaypc" => key removed successfully
    C:\games\Trials Evolution Gold Edition\datapack\orbit\npuplaypc.dll => not found.
    C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\searchplugins\yahoo_ff.xml => moved successfully
    C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml => moved successfully
    C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\yahoo_ff.xml => moved successfully
    Chrome HomePage => removed successfully
    Chrome StartupUrls => removed successfully
    Chrome DefaultSearchURL => removed successfully
    Chrome DefaultSearchKeyword => removed successfully
    C:\Users\ndjokic\AppData\Local\Temp\ads.exe => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\appstart.exe => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\dxdiag.exe => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\jna1360448439069212405.dll => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\jna294053652032923175.dll => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\jna3065417005596449056.dll => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\jna3081127520328937171.dll => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\jna3392912898606427213.dll => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\jna4842340648409676810.dll => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\jna5499633561028554623.dll => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\SkypeSetup.exe => moved successfully
    C:\Users\ndjokic\AppData\Local\Temp\Uninstall.exe => moved successfully
    "HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully
    "HKU\S-1-5-21-132009455-2026092721-3990303557-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}" => key removed successfully
    C:\Users\ndjokic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KGS Online\CGoban 3.lnk => Shortcut argument removed successfully.

    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========


    ========= netsh winsock reset all =========


    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.


    ========= End of CMD: =========


    ========= netsh int ipv4 reset =========

    Reseting Global, OK!
    Reseting Interface, OK!
    Reseting Unicast Address, OK!
    Reseting Route, OK!
    Reseting Subinterface, OK!
    Restart the computer to complete this action.


    ========= End of CMD: =========


    ========= netsh int ipv6 reset =========

    Reseting Interface, OK!
    Reseting Unicast Address, OK!
    Reseting Route, OK!
    Reseting Subinterface, OK!
    Restart the computer to complete this action.


    ========= End of CMD: =========


    ========= bitsadmin /reset /allusers =========


    BITSADMIN version 3.0 [ 7.5.7601 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.

    BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

    {F03E6C1B-4428-485F-858A-FA3F5FDB81F7} canceled.
    {E407E379-3CBF-4F4A-9A5A-9776239947AC} canceled.
    {342835C6-555E-4066-B2C3-42A3945E59BD} canceled.
    {F21B83B3-6263-4E7C-9F16-DE070237D9BD} canceled.
    {15CA46E8-4B57-4AAE-96C6-7DCF51BE6E3C} canceled.
    {F55A5BC3-F0E9-4DBC-A6FB-7DF3B89731B5} canceled.
    {DF846CD4-0F0F-4EF6-A3E7-CC6B249FB3C8} canceled.
    {663D8B13-AC1B-48A3-BEAC-08A0726C1C49} canceled.
    {48761FE8-109B-46B7-AF2E-96339A436285} canceled.
    {E9222F95-F650-440B-BD2A-EED2241D7E86} canceled.
    {998E4FE0-5037-4A3F-A190-41356C42296C} canceled.
    {4542AEA9-1C8D-4A07-90AD-BF847203AB65} canceled.
    {C91365FF-BF09-46E0-9CCC-F5A74B5D0FF3} canceled.
    {905B56DD-BB49-4129-B8EB-9A977C0E67B7} canceled.
    {347CC6D8-DF6F-4B11-B630-82B7C61DD688} canceled.
    {30767824-4D8E-4049-8D1D-7AC14DA8BB38} canceled.
    {891B3B12-3406-4977-8C7C-FE2AF22AAA47} canceled.
    {09B00465-DC55-481C-9DC0-6FEB85CFF24A} canceled.
    {11BDEDA0-4A77-447A-826F-725CD06F6D3F} canceled.
    {147096D6-09D8-4F9F-9D67-1924436DEA90} canceled.
    20 out of 20 jobs canceled.

    ========= End of CMD: =========


    ========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========


    ========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========


    ========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========


    ========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========

    EmptyTemp: => 8.6 GB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 23:57:41 ====






    # AdwCleaner v5.111 - Logfile created 15/04/2016 at 00:08:39
    # Updated 14/04/2016 by Xplode
    # Database : 2016-04-11.4 [Server]
    # Operating system : Windows 7 Professional Service Pack 1 (X64)
    # Username : ndjokic - NDJOKIC-PC
    # Running from : C:\Users\ndjokic\Desktop\AdwCleaner.exe
    # Option : Clean
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****


    ***** [ Folders ] *****

    [-] Folder Deleted : C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\YourGSearchFinder_br

    ***** [ Files ] *****


    ***** [ DLLs ] *****


    ***** [ Shortcuts ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Registry ] *****

    [-] Key Deleted : HKCU\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}
    [-] Key Deleted : HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}
    [-] Key Deleted : HKCU\Software\OCS
    [-] Key Deleted : HKLM\SOFTWARE\yessearchesSoftware
    [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{69168FDA-9A00-4BF6-979E-D9BE7DCAAAC4}

    ***** [ Web browsers ] *****

    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\arbmcia9.default-1362714903871\prefs.js] Deleted : user_pref("keyword.URL", "hxxps://ch.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=435371&p=");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("browser.search.searchengine.hp", "hxxp://www.yessearches.com/?ts=AHEqA3IsA30qCE..&v=20160412&uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&mode=ffsengext");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("browser.search.searchengine.sp", "hxxp://www.yessearches.com/chrome.php?mode=ffsengext&ptid=wak&q={searchTerms}&ts=AHEqA3IsA30qCE..&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("browser.search.searchengine.url", "hxxp://www.yessearches.com/chrome.php?mode=ffsengext&ptid=wak&q={searchTerms}&ts=AHEqA3IsA30qCE..&uid=4D9800C4DDE8C5E588289AA4A0C32695&v=20160412");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.mywebsearch.prevKwdEnabled", true);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.BUTTON_STRUCTURE", "[{"b":224520315,"c":"mindspark.magnify","p":"L.0"},{"b":224520316,"c":"mindspark.entersearchterms","p":"L.0.0[...]
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.browser.version.last", "42.0");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.firstKnownVersion", "7.38.8.45986");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.homepage", "/index.jhtml?n=782a596a");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.hp.enabled", true);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.hp.guardType", "HPR");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.initialized", true);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.installation.installDate", "2016041322");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.installation.success", true);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.lastActivePing", "1460580564460");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.lastKnownVersion", "7.38.8.45986");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.lssState", "{"previousLocales":["en-US","en"],"supportedLocales":["de","es","pt","ja","en"],"defaultLocale":"en","supportedLo[...]
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.defaultSearch", false);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.homePageEnabled", false);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.keywordEnabled", true);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.options.tabEnabled", false);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.productDeliveryOption.language", "en");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.productDeliveryOption.type", "Toolbar");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.successUrl", "hxxp://www.yessearches.com/chrome.php?uid=4D9800C4DDE8C5E588289AA4A0C32695&ptid=wak&ts=AHEqA3IsA30qCE..&v=20160412&mode=ffexttoolbar&q[...]
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.toolbarCollapsed", false);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark._brMembers_.uninstallTasks", "{"prefBranchesToDelete":["extensions.toolbar.mindspark._brMembers_."],"filesToDelete":["C:\\\\Users\\\\ndjokic\\\\AppData\\[...]
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "yourGSearchfinder@GSearch.com");
    [-] [C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js] Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "yourGSearchfinder@GSearch.com");

    *************************

    :: "Tracing" keys deleted
    :: Winsock settings cleared
    :: Chrome preferences reset : C:\Users\ndjokic\AppData\Local\Google\Chrome\User Data\Default

    *************************

    C:\AdwCleaner\AdwCleaner[C1].txt - [7353 bytes] - [15/04/2016 00:08:39]
    C:\AdwCleaner\AdwCleaner[S1].txt - [7340 bytes] - [15/04/2016 00:05:31]

    ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [7499 bytes] ##########





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.0.4 (03.14.2016)
    Operating System: Windows 7 Professional x64
    Ran by ndjokic (Administrator) on 15/04/2016 at 0:17:15.97
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 15

    Successfully deleted: C:\ProgramData\Start Menu\Programs\(default) (Folder)
    Successfully deleted: C:\Users\ndjokic\AppData\Roaming\3909 (Folder)
    Successfully deleted: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi (File)
    Successfully deleted: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi (File)
    Successfully deleted: C:\Users\ndjokic\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\searchplugins\yahoo_ff.xml (File)
    Successfully deleted: C:\Users\ndjokic\AppData\Roaming\speedrunnerslog.txt (File)
    Successfully deleted: C:\Windows\chromebrowser.exe (File)
    Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FIYZ7QI (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6C7HJ9I5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\72BPMKMX (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\ndjokic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPZVFHFF (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FIYZ7QI (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6C7HJ9I5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\72BPMKMX (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPZVFHFF (Temporary Internet Files Folder)



    Registry: 0





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 15/04/2016 at 0:23:11.05
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Attached Files Attached Files

  4. #4
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Please run this security check.

    Download Security Check by screen317 from here.
    or these 2 other sites.
    http://rocketgrannie.spywareinfoforu...urityCheck.exe
    http://www.bleepingcomputer.com/download/securitycheck/

    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    ~~~~~~~~~~~~~~~~~~~`

    Download Malwarebytes' Anti-Malware TO YOUR DESKTOP


    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"







    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Detections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan


      After the restart once you are back at your desktop, open MBAM once more.
      Click on the History tab > Application Logs.
      Double click on the scan log which shows the Date and time of the scan just performed.
      Click 'Copy to Clipboard'
      Paste the contents of the clipboard into your reply
    • Exit Malwarebytes


    ~~~~~~~~~~~~~

    After running the above 2 scans please give me an update on how the computer is now.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #5
    Junior Member
    Join Date
    Apr 2010
    Posts
    20

    Default

    I had a problem with Malwarebytes: on the dashboard, I clicked "scan now" (there's no "scan" on the dashboard), but that didn't ask me whether to do a "threat scan" or something else, it just started. So I canceled that scan, then went into the "scan" menu (not dashboard), where I could choose "threat scan", and proceeded with that. Now, in the history tab, there's only a scan log from the scan that was canceled after a few seconds, not from the one that finished. That one quarantined about 3400 items, some of which were related to yessearches, but its log is just missing.

    I don't see any symptoms of an infection at the moment, thanks for your help.



    Results of screen317's Security Check version 1.014 --- 12/23/15
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Java 8 Update 25
    Java version 32-bit out of Date!
    Adobe Flash Player 21.0.0.182
    Mozilla Firefox (42.0)
    Mozilla Thunderbird 17.0.3 Thunderbird out of Date!
    Google Chrome (49.0.2623.110)
    Google Chrome (49.0.2623.112)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
    Attached Files Attached Files

  6. #6
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    quarantined about 3400 items,
    Thats amazing and kinda concerning

    WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java

    Please read this article about Java.

    I would recommend that you completely uninstall Java unless you need it to run an important software.
    In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser and How to unplug Java from the browser)

    If you do need to keep Java then download JavaRa
    Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
    Once done then run it again and select Update Java runtime &gt; Download and install Latest version.

    Java <-- latest version, (watch out for "Optional Offers" or bundled software)

    ~~~~~~~~~~~~~~~

    Let's run one more quick scan with MBAM, this one should show up in the logs and hopefully it finds nothing.

    Open MBAM
    • On the Dashboard click on Update Now
      If any updates are found allow them to be downloaded and installed.

      Next
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan


    When completed




    Open up Malwarebytes and you will be on the Dashboard
    Click on the History Tab
    Then click on Application Logs
    Double click on the SCAN LOG (Not Protection Log ) you just ran

    Then click on Export
    On the drop down list click on Copy to Clipboard
    Then paste the log back into this thread

    ~~~~~~~~~~~~~~~~~~~~~~~`

    What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.



    ESET Online Scan
    Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
    • Please download ESET Online Scan and save the file to your Desktop.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Double-click esetsmartinstaller_enu.exe to run the programme.
    • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
    • Agree to the Terms of Use once more and click Start. Allow components to download.
    • Place a checkmark next to Enable detection of potentially unwanted applications.
    • Click Advanced settings. Place a checkmark next to:
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

    • Ensure Remove found threats is unchecked.
    • Click Start.
    • Wait for the scan to finish. Please be patient as this can take some time.
    • Upon completion, click . If no threats were found, skip the next two bullet points.
    • Click and save the file to your Desktop, naming it something such as "MyEsetScan".
    • Push the Back button.
    • Place a checkmark next to and click .
    • Re-enable your anti-virus software.
    • Copy the contents of the log and paste in your next reply.



    Also, can you give me an update on how the computer is at the moment.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #7
    Junior Member
    Join Date
    Apr 2010
    Posts
    20

    Default

    There's something strange about MBAM logs. This time MBAM quarantined 4 items, but the log says 0 everywhere. There are no symptoms of an infection, other than what the various AV tools are reporting.



    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 15/04/2016
    Scan Time: 21:53
    Logfile:
    Administrator: Yes

    Version: 2.2.1.1043
    Malware Database: v2016.04.15.05
    Rootkit Database: v2016.04.09.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: ndjokic

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 363498
    Time Elapsed: 18 min, 23 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)






    C:\comics\The Far Side\Far Side\Install to view cbr files.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
    C:\FRST\Quarantine\C\Users\ndjokic\AppData\Local\Temp\CodecFixDivx.exe.xBAD a variant of Win32/IStartSurf.R potentially unwanted application
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar a variant of Win32/Packed.VMProtect.ABD trojan
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll a variant of Win32/Packed.VMProtect.ABD trojan
    C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso a variant of Win32/HackTool.Crack.CC potentially unsafe application
    C:\games\Rayman Legends i1\steam_api.dll a variant of Win32/HackTool.Crack.BQ potentially unsafe application
    C:\games\Rayman Legends i1\uplay_r1.dll Win32/HackTool.Crack.DG potentially unsafe application
    C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso a variant of Win32/HackTool.Crack.BQ potentially unsafe application
    C:\games\Speedrunners\steam_api.dll a variant of Win32/HackTool.Crack.DW potentially unsafe application
    C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll a variant of Win32/HackTool.Crack.DW potentially unsafe application
    C:\games\The Witness\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
    C:\games\The Witness\steam_api64.dll a variant of Win64/HackTool.Crack.F potentially unsafe application
    C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso a variant of Win32/HackTool.Crack.CS potentially unsafe application
    C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe a variant of Win32/Keygen.AN potentially unsafe application
    C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe a variant of Win32/Keygen.AN potentially unsafe application
    C:\old stuff\red stick\sct\Generateur de clef\keygen.exe a variant of Win32/Keygen.AN potentially unsafe application
    C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application
    C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application
    C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
    C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
    Attached Files Attached Files

  8. #8
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

    Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.
    If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.
    I strongly recommend you refrain from participating in this activity; your computer will be repeatedly infected otherwise. Simply visiting a cracked software site can result in infection via drive-by exploits of vulnerable software.
    Additionally, cracked programs are illegal.

    Forum Policy
    I strongly suggest you remove any cracked software that is installed, we do not approve nor will we provide support in the future for problems produced because of illegal software.

    ~~~~~~~~~~~~~~~~~~~~~
    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:

    C:\comics\The Far Side\Far Side\Install to view cbr files.exe
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll
    C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso
    C:\games\Rayman Legends i1\steam_api.dll
    C:\games\Rayman Legends i1\uplay_r1.dll
    C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso
    C:\games\Speedrunners\steam_api.dll
    C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll
    C:\games\The Witness\steam_api.dll
    C:\games\The Witness\steam_api64.dll
    C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso
    C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe
    C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe
    C:\old stuff\red stick\sct\Generateur de clef\keygen.exe
    C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe
    C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat
    C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    ~~~~~~~~~~~~~~~

    After running the above script, please run MBAM again.
    Before the window closes can you type down the name of what it finds so I can see what was detected?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #9
    Junior Member
    Join Date
    Apr 2010
    Posts
    20

    Default

    MBAM found 3 threats, and the scan log is again simply missing. FRST couldn't remove a .iso because it was in use, apologies, shall I remove it manually? Here's what MBAM found:

    PUP.Optional.Yessearches - Potentially Unwanted Program - Registry Value - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A6D93872-315E-4DF6-B008-AEC4266537C0}|Path

    PUP.Optional.Yessearches - Potentially Unwanted Program - Registry Key - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A6D93872-315E-4DF6-B008-AEC4266547C0}

    PUP.Optional.Yessearches - Potentially Unwanted Program - Registry Key - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Ninight Collector



    Fix result of Farbar Recovery Scan Tool (x64) Version:13-04-2016
    Ran by ndjokic (2016-04-16 17:14:03) Run:2
    Running from C:\Users\ndjokic\Desktop
    Loaded Profiles: ndjokic (Available Profiles: ndjokic)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:

    C:\comics\The Far Side\Far Side\Install to view cbr files.exe
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll
    C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso
    C:\games\Rayman Legends i1\steam_api.dll
    C:\games\Rayman Legends i1\uplay_r1.dll
    C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso
    C:\games\Speedrunners\steam_api.dll
    C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll
    C:\games\The Witness\steam_api.dll
    C:\games\The Witness\steam_api64.dll
    C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso
    C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe
    C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe
    C:\old stuff\red stick\sct\Generateur de clef\keygen.exe
    C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe
    C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat
    C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll
    EmptyTemp:
    End

    *****************

    Restore point was successfully created.
    Processes closed successfully.
    C:\comics\The Far Side\Far Side\Install to view cbr files.exe => moved successfully
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM.rar => moved successfully
    C:\games\10 Second Ninja\10 Second Ninja Crakced-3DM\10.Second.Ninja.Crakced-3DM\10 Second Ninja\steam_api.dll => moved successfully
    C:\games\Payday the Heist t\Payday.The.Heist-RELOADED\rld-pdth.iso => moved successfully
    C:\games\Rayman Legends i1\steam_api.dll => moved successfully
    C:\games\Rayman Legends i1\uplay_r1.dll => moved successfully
    C:\games\Rayman Legends t1\Rayman.Legends-RELOADED\rld-rlegends.iso => moved successfully
    C:\games\Speedrunners\steam_api.dll => moved successfully
    C:\games\speedrunners t\SpeedRunners.and.crack.Steamworks.Revolt\Cracks\Offline\steam_api.dll => moved successfully
    C:\games\The Witness\steam_api.dll => moved successfully
    C:\games\The Witness\steam_api64.dll => moved successfully
    Could not move "C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso" => Scheduled to move on reboot.
    C:\old stuff\laptop backup\copied\sct\Generateur de clef\keygen.exe => moved successfully
    C:\old stuff\laptop backup\desktop\sct\Generateur de clef\keygen.exe => moved successfully
    C:\old stuff\red stick\sct\Generateur de clef\keygen.exe => moved successfully
    C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe => moved successfully
    C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat => moved successfully
    C:\Users\ndjokic\AppData\LocalLow\Sun\Java\jre1.7.0_09\java_sp.dll => moved successfully
    EmptyTemp: => 738.7 MB temporary data Removed.

    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-04-16 17:17:18)

    "C:\games\The Witness t\The.Witness-HI2U\hi-thwit.iso" => Could not move

    ==== End of Fixlog 17:17:19 ====
    Attached Files Attached Files

  10. #10
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    FRST couldn't remove a .iso because it was in use, apologies, shall I remove it manually?
    Yes.


    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:
    Task: {A6D93872-315E-4DF6-B008-AEC4266537C0} - System32\Tasks\Ninight Collector => C:\Program Files (x86)\Ninight\NngCollector.exe [2016-04-12] ()
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    What issues remain?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •