SmitFraud infection (possible others)

**Gary62** · 2016-08-10, 16:09

I ran the AdwCleaner again and the Malware Bytes programs as instructed. Below are the logs.

AdwCleaner(C2).txt

# AdwCleaner v5.201 - Logfile created 10/08/2016 at 09:15:38
# Updated 30/06/2016 by ToolsLib
# Database : 2016-08-09.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Debbie Williams - DEBBIEWILLIAMS
# Running from : C:\Users\Debbie Williams\Desktop\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : BackupStack

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Debbie Williams\AppData\LocalLow\HPAppData
[-] Folder Deleted : C:\Users\Debbie Williams\AppData\Roaming\Yahoo!\Companion
[-] Folder Deleted : C:\Users\Debbie Williams\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowShopper
[-] Folder Deleted : C:\extensions

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YMERemote.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\Applications\iMesh_V11_en_Setup.exe
[-] Key Deleted : HKLM\SOFTWARE\Classes\Applications\iMeshV11.exe
[-] Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@funwebproducts.com/Plugin
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}
[-] Key Deleted : HKCU\Software\Classes\CLSID\{BEBBC426-4F16-4567-8FE1-BE198C982027}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F51C15D4-3D0A-4DBA-A095-EBCC09F24DA2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B722ED8B-0B38-408E-BB89-260C73BCF3D4}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key Deleted : HKCU\Software\APN
[-] Key Deleted : HKCU\Software\APN PIP
[-] Key Deleted : HKCU\Software\Tune
[-] Key Deleted : HKCU\Software\Yahoo\Companion
[-] Key Deleted : HKCU\Software\systweak
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\PIP
[-] Key Deleted : HKLM\SOFTWARE\Tune
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\systweak
[-] Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1220429911-571419994-1192886686-1000\Software\Alexa Internet
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1220429911-571419994-1192886686-1000\Software\Mega Browse
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\driverupdate.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\hdapp1008-a.akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\trovi.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\wajam.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.driverupdate.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.superfish.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.wajam.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\audiotoaudio.dl.myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cdncache-a.akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driverupdate.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\easymaillogin.dl.myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hdapp1008-a.akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mapsgalaxy.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mmotraffic.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\productivityboss.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\radiorage.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\trovi.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\videodownloadconverter.dl.tb.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\wajam.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\websearch.about.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.driverupdate.net

***** [ Web browsers ] *****

[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : amazon.com
[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : search.conduit.com
[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : Mysearchdial.com
[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : trovi.search
[-] [C:\Users\Debbie Williams\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : pbjikboenpfhbbejgkoklgkhjpfogcam

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [10392 bytes] - [09/08/2016 14:39:38]
C:\AdwCleaner\AdwCleaner[C2].txt - [7389 bytes] - [10/08/2016 09:15:38]
C:\AdwCleaner\AdwCleaner[S1].txt - [9200 bytes] - [09/08/2016 11:28:11]
C:\AdwCleaner\AdwCleaner[S2].txt - [7607 bytes] - [09/08/2016 21:04:22]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [7608 bytes] ##########

Malware Bytes log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/10/2016
Scan Time: 9:21 AM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.10.07
Rootkit Database: v2016.08.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Debbie Williams

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 315129
Time Elapsed: 13 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Agent, C:\Windows\hosts, Quarantined, [b2bd2a1f35651d19fa1b16132ed5e917],

Physical Sectors: 0
(No malicious items detected)

(end)

As far as how the computer is running now, I will have to get my sister in law to use it for a few days and then let me know how it is going. I will report back when she gives me more info. Thank you.

**Juliet** · 2016-08-10, 16:21

It should be running better now.

One more scan

Please download Emsisoft Emergency Kit and save it to your desktop.
Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop.

Leave all settings as they are and click the Extract button at the bottom.
A folder named EEK will be created in the root of the drive (usually c:\).

After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates.
Please click Yes so that it downloads the latest database updates.
When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
Click on Scan to be taken to the scan options.
If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
Click on the Malware Scan button to start the scan.
When the scan is completed click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
Please save the log in Notepad on your desktop, and copy it to your next reply.
When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

**Gary62** · 2016-08-10, 17:27

I ran the EEK program scan and the log is below:

Emsisoft Emergency Kit - Version 11.9
Last update: 8/10/2016 11:15:42 AM
User account: DebbieWilliams\Debbie Williams
Computer name: DEBBIEWILLIAMS
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 8/10/2016 11:16:32 AM
C:\Users\Debbie Williams\AppData\LocalLow\HPAppData detected: Application.AdInstall (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Key: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY\DOMSTORAGE\WWW.SUPERFISH.COM detected: Application.AdFish (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F45B09B0-01D1-4E04-AE42-8650196F04CC} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{098E4E5F-7877-4EBE-9A51-49CDEFBED242} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{191EA747-1B0F-4895-8A45-B96A9EE15E28} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{3F210473-F79B-48AA-B4B0-78872B5B4541} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{4EECBA27-86E3-49FF-9084-986F22CFDE7B} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{661A3047-196C-40BE-B957-98532655A787} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{A3BD0431-C030-45BF-915D-01C8E8AF05D7} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{B32878B5-90B1-4775-A6DF-DF5FEF423606} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{C13F1DBD-F8F6-496F-957A-2FDF9594BF4F} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{D8F4593C-CCD4-499C-99A3-ABE6427195B9} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{DFF78A48-9941-4ABF-8E21-E1D66F6AF4B1} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E64A3E85-DA78-4178-91A8-E9FAA308375B} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} detected: Application.BrowserExt (A)

Scanned 73937
Found 35

Scan end: 8/10/2016 11:22:29 AM
Scan time: 0:05:57

**Juliet** · 2016-08-10, 22:35

Is Emsisoft Emergency Kit still on desktop?

What was found we can allow it to delete.

When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
Please save the log in Notepad on your desktop, and copy it to your next reply.
When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

**Gary62** · 2016-08-11, 00:31

Emsisoft Emergency Kit was closed once the log was pasted.

I will run the scan again and follow your instructions.

Thank you.

**Juliet** · 2016-08-11, 12:29

Thank you

**Gary62** · 2016-08-11, 15:59

I ran the EEK and the log report is below:

EEK Log/Report:

Emsisoft Emergency Kit - Version 11.9
Last update: 8/10/2016 11:15:42 AM
User account: DebbieWilliams\Debbie Williams
Computer name: DEBBIEWILLIAMS
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 8/11/2016 9:34:40 AM
C:\Users\Debbie Williams\AppData\LocalLow\HPAppData detected: Application.AdInstall (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Key: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY\DOMSTORAGE\WWW.SUPERFISH.COM detected: Application.AdFish (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F45B09B0-01D1-4E04-AE42-8650196F04CC} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{098E4E5F-7877-4EBE-9A51-49CDEFBED242} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{191EA747-1B0F-4895-8A45-B96A9EE15E28} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{3F210473-F79B-48AA-B4B0-78872B5B4541} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{4EECBA27-86E3-49FF-9084-986F22CFDE7B} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{661A3047-196C-40BE-B957-98532655A787} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{A3BD0431-C030-45BF-915D-01C8E8AF05D7} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{B32878B5-90B1-4775-A6DF-DF5FEF423606} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{C13F1DBD-F8F6-496F-957A-2FDF9594BF4F} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{D8F4593C-CCD4-499C-99A3-ABE6427195B9} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{DFF78A48-9941-4ABF-8E21-E1D66F6AF4B1} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E64A3E85-DA78-4178-91A8-E9FAA308375B} detected: Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} detected: Application.BrowserExt (A)

Scanned 75604
Found 35

Scan end: 8/11/2016 9:41:13 AM
Scan time: 0:06:33

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E9D59045-793B-4638-ABB6-881E6CE9AEEA} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E64A3E85-DA78-4178-91A8-E9FAA308375B} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{DFF78A48-9941-4ABF-8E21-E1D66F6AF4B1} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{D8F4593C-CCD4-499C-99A3-ABE6427195B9} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{C13F1DBD-F8F6-496F-957A-2FDF9594BF4F} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{B32878B5-90B1-4775-A6DF-DF5FEF423606} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{A3BD0431-C030-45BF-915D-01C8E8AF05D7} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{962DE9EA-6508-4D38-B5A1-EA8E431CF0A0} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{661A3047-196C-40BE-B957-98532655A787} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{5F33EE20-E09F-45E9-AB0C-9221AF3D2651} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{4EECBA27-86E3-49FF-9084-986F22CFDE7B} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{3F210473-F79B-48AA-B4B0-78872B5B4541} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{191EA747-1B0F-4895-8A45-B96A9EE15E28} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{178A8078-832D-4E6E-9287-29507867134A} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1606FE93-4CB7-4C6A-9947-7362FDB6C121} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{0CEC5206-43FA-4BC8-91A7-DC5B121F7960} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{098E4E5F-7877-4EBE-9A51-49CDEFBED242} Application.BrowserExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F45B09B0-01D1-4E04-AE42-8650196F04CC} Application.BrowserExt (A)
Key: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY\DOMSTORAGE\WWW.SUPERFISH.COM Application.AdFish (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1220429911-571419994-1192886686-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Setting.DisableTaskMgr (A)
C:\Users\Debbie Williams\AppData\LocalLow\HPAppData Application.AdInstall (A)

Quarantined 31

**Juliet** · 2016-08-11, 22:03

How's the computer now?

Ready to remove tools and quarantine folders?

**Gary62** · 2016-08-12, 00:51

So far so good. I have asked my sister in law to use her computer for a few days and let me know if any issues come up. After all the scans / cleanings / quarantines, I ran a Spybot scan (which originally notified us of the SmitFraud malware - and a few others), but on the most recent scan, there were no major issues (just low level / minor items - i.e. cookies, etc.).

I will report back after she has a chance to use it for a few days.

Again, thank you and everyone that volunteers to assist people in these matters.

**Juliet** · 2016-08-12, 02:58

on the most recent scan, there were no major issues (just low level / minor items - i.e. cookies, etc.).

I will report back after she has a chance to use it for a few days.

Again, thank you and everyone that volunteers to assist people in these matters.

Your welcome

Thread: SmitFraud infection (possible others)

Thread Tools

Display

Posting Permissions