Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP!browser (IE & FireFox) hijacked by hao123.com! [Solve


  • This topic is locked This topic is locked

#16
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

I have a tool that will remove all of the tools we've used and will remove itself too. However, I'd like run two more scans if you don't mind, just to be sure everything is clean.

 

We'll search for some remnants that might be hiding.
 
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Install the progam and select update
 
  • Once it has updated select Settings > Detection and Protection >Tick Scan for rootkits

MBAMsettings.JPG

 
  • Go back to the Dashboard and select Scan Now

MBAMScan.JPG

 
  • If threats are detected, click the Apply Actions button, MBAM will ask for a reboot

MBAMReboot.JPG

 
  • On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop.

MBAMLog.JPG

 
 
Please post that log for my review.
 
ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:
  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.
If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.
To perform the scan:
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.
Please include this logfile in your next reply.

Don't forget to re-enable previously switched-off protection software!

 

 

 


  • 0

Advertisements


#17
capercat

capercat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 24/9/2014
Scan Time: 12:53:31 AM
Logfile: scanlog.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.23.07
Rootkit Database: v2014.09.19.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jean

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 421346
Time Elapsed: 32 min, 1 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 38
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\APPID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}, Quarantined, [9ee7bc33accfc57161a9a7fec9396f91],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{1DD31B76-C57E-49BA-94BC-BF53F0C82CD4}, Quarantined, [9ee7bc33accfc57161a9a7fec9396f91],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{1DD31B76-C57E-49BA-94BC-BF53F0C82CD4}, Quarantined, [9ee7bc33accfc57161a9a7fec9396f91],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\TYPELIB\{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\INTERFACE\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\INTERFACE\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\INTERFACE\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\AddressSearch.JsObject.1, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\AddressSearch.JsObject, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\AddressSearch.JsObject, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\AddressSearch.JsObject.1, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{11CC93E4-0BE6-4F8F-82AA-D577FB955B05}, Quarantined, [444177787cff40f6a267dec74db5db25],
PUP.Optional.Outbrowse, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}, Quarantined, [8104905f2d4e6ec80ad421a706fc827e],
PUP.Optional.Outbrowse, HKLM\SOFTWARE\CLASSES\TYPELIB\{03771AEF-400D-4A13-B712-25878EC4A3F5}, Quarantined, [8104905f2d4e6ec80ad421a706fc827e],
PUP.Optional.Outbrowse, HKLM\SOFTWARE\CLASSES\INTERFACE\{3408AC0D-510E-4808-8F7B-6B70B1F88534}, Quarantined, [8104905f2d4e6ec80ad421a706fc827e],
PUP.Optional.Outbrowse, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{3408AC0D-510E-4808-8F7B-6B70B1F88534}, Quarantined, [8104905f2d4e6ec80ad421a706fc827e],
PUP.Optional.Outbrowse, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{03771AEF-400D-4A13-B712-25878EC4A3F5}, Quarantined, [8104905f2d4e6ec80ad421a706fc827e],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\TYPELIB\{D02E3AB9-7796-40cb-BDFC-20D834FE1F75}, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\INTERFACE\{FCB380C4-D350-44BE-8791-50216F4747AC}, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{FCB380C4-D350-44BE-8791-50216F4747AC}, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{D02E3AB9-7796-40cb-BDFC-20D834FE1F75}, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\ASBarBroker.BDBroker.1, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\ASBarBroker.BDBroker, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\ASBarBroker.BDBroker, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\ASBarBroker.BDBroker.1, Quarantined, [8bfa14dbd6a50a2c4bbd366f2cd6ca36],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}, Quarantined, [582d00efe79485b19374079eb94936ca],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\AddressSearch.SnavHttpProtocol.1, Quarantined, [582d00efe79485b19374079eb94936ca],
PUP.Optional.Funshion, HKLM\SOFTWARE\CLASSES\AddressSearch.SnavHttpProtocol, Quarantined, [582d00efe79485b19374079eb94936ca],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\AddressSearch.SnavHttpProtocol, Quarantined, [582d00efe79485b19374079eb94936ca],
PUP.Optional.Funshion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\AddressSearch.SnavHttpProtocol.1, Quarantined, [582d00efe79485b19374079eb94936ca],
Trojan.Cinmus, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{A7F05EE4-0426-454F-8013-C41E3596E9E9}, Quarantined, [780d1ed1b6c53ff7af024375010138c8],
Adware.BDSearch, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}, Quarantined, [8afbd21dbebdb680184caff96a98da26],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
CrackTool.Agent, C:\Downloads\ADOBE Acrobat Pro XI [MPT] Crack PATCH TPB DeGun, Quarantined, [c6bf2ac57308b58123c8b080a958cb35],
RiskWare.Tool.CK, C:\Users\Jean\Downloads\Avira Reset [freecrackfilesdownload.blogspot.com].rar, Quarantined, [0580fef182f964d234df3e2eeb15a957],

Physical Sectors: 0
(No malicious items detected)


(end)


  • 0

#18
capercat

capercat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

[email protected] as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=27fb4e2a8567e44499d2873291f8b009
# engine=20262
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-09-23 08:59:28
# local_time=2014-09-24 04:59:28 (+0800, Malay Peninsula Standard Time)
# country="Singapore"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Avira Desktop'
# compatibility_mode=1805 16777213 100 100 13781 155191587 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 163135818 0 0
# scanned=343217
# found=18
# cleaned=0
# scan_time=11565
sh=FB2B10C924E107597AABF49D5BB6C624AC10E3B4 ft=1 fh=2ec984392ff83028 vn="a variant of Win32/HackTool.Patcher.AD potentially unsafe application" ac=I fn="C:\Program Files\Sony\Vegas Pro 12.0\vegas.pro.12.-patch.exe"
sh=71435DDB11E00D0243380C4902324853FE4ECE8F ft=1 fh=12b0cd2dde452d65 vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application" ac=I fn="C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll"
sh=FFA8B6510D624A55F3EB7FFD6D5221A44944681C ft=1 fh=3386eb0d6ed0e5e1 vn="a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application" ac=I fn="C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe"
sh=1A3F14C0A66F9AF050D1F34FBACBAADC31751A07 ft=1 fh=2704a03a0f47b728 vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application" ac=I fn="C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe"
sh=FD0483A45EF23EB4DEF1523906A28A4A5D3C0D77 ft=1 fh=fcf2e467b851cbbd vn="a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application" ac=I fn="C:\Program Files (x86)\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe"
sh=36A8B846183B8F4568C4D409D53FF4758D500B2A ft=1 fh=3ebe3e1292c33856 vn="a variant of Win32/HackTool.Patcher.AD potentially unsafe application" ac=I fn="C:\Program Files (x86)\Photodex\ProShow Producer\proshow.producer-patch.exe"
sh=C53B4B946486A5A1F3855F009E6EFED48503978F ft=0 fh=0000000000000000 vn="a variant of Generik.LKQSKKX trojan" ac=I fn="D:\njf misc\njf\thumbdrive\HaRePacker.rar"
sh=2B8F6CE84E6CE68672B79DB7CD6A699696C8A00F ft=0 fh=0000000000000000 vn="a variant of Win32/HackTool.Patcher.T potentially unsafe application" ac=I fn="G:\$RECYCLE.BIN\S-1-5-21-1288498897-834142535-3446857410-1000\$RLKJU5B\Backup Set 2013-04-08 005301\Backup Files 2013-04-08 005301\Backup files 1.zip"
sh=BF28D49C52B7D7AF6BCA910E9405095D4A63762A ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application" ac=I fn="G:\$RECYCLE.BIN\S-1-5-21-1288498897-834142535-3446857410-1000\$RLKJU5B\Backup Set 2013-04-08 005301\Backup Files 2013-04-08 005301\Backup files 22.zip"
sh=20E251D7C4DD6AC2C0FCF5584C925A49980A35B6 ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application" ac=I fn="G:\$RECYCLE.BIN\S-1-5-21-1288498897-834142535-3446857410-1000\$RLKJU5B\Backup Set 2013-04-08 005301\Backup Files 2013-04-08 005301\Backup files 23.zip"
sh=2D6D58F1C9113D67D6481F0AB0ECF99303BF2BCA ft=0 fh=0000000000000000 vn="Win32/TopMedia.B potentially unwanted application" ac=I fn="G:\$RECYCLE.BIN\S-1-5-21-1288498897-834142535-3446857410-1000\$RLKJU5B\Backup Set 2013-04-08 005301\Backup Files 2013-04-08 005301\Backup files 42.zip"
sh=85FD231DFF0A97F70361AA2413861EDC5D0B8BFD ft=1 fh=6e634a93cb0ae455 vn="a variant of Win32/CNETInstaller.B potentially unwanted application" ac=I fn="G:\Software\cbsidlm-cbsi5_3_0_93-Pandora_Recovery-BP-10694796.exe"
sh=0C59C362CF55AB67B53851DE76F84C31EF5D4D36 ft=0 fh=0000000000000000 vn="a variant of Win32/HackTool.Patcher.T potentially unsafe application" ac=I fn="G:\Software\Adobe Acrobat XI PRO 11 Multilang WiN ALL WORKING Incl. Patch -\AcrobatPro11.iso"
sh=8F34BB9503DC54A9452821391D923FA19CE6E6FA ft=1 fh=ba0bf2bb89260abf vn="a variant of Win32/HackTool.Patcher.T potentially unsafe application" ac=I fn="G:\Software\Adobe Acrobat XI PRO 11 Multilang WiN ALL WORKING Incl. Patch -\MPT\adobe.acrobat.xi.pro.patch-MPT.exe"
sh=0F3B69130B0344D3210B6C10BD5395ECCB399523 ft=1 fh=1b2e248639a0e8d6 vn="a variant of MSIL/HackTool.IdleKMS.A potentially unsafe application" ac=I fn="G:\Software\Microsoft Office 2013 Professional Plus(64-Bit) and Activator\Microsoft Office 2013 Pro KMS Activator\KMSnano.exe"
sh=36A8B846183B8F4568C4D409D53FF4758D500B2A ft=1 fh=3ebe3e1292c33856 vn="a variant of Win32/HackTool.Patcher.AD potentially unsafe application" ac=I fn="G:\Software\Photodex Proshow Producer 5.0.3296+Patch [SOURAVFILE]\patch\proshow.producer-patch.exe"
sh=FB2B10C924E107597AABF49D5BB6C624AC10E3B4 ft=1 fh=2ec984392ff83028 vn="a variant of Win32/HackTool.Patcher.AD potentially unsafe application" ac=I fn="G:\Software\Sony Vegas Pro 12 Build 367 (64 bit patch-KHG) [ChingLiu]\patch - KHG\vegas.pro.12.-patch.exe"
sh=C903691EC1F7E1784D9EF619BBEAFC72E534C430 ft=0 fh=0000000000000000 vn="a variant of Win32/Induc.A virus" ac=I fn="G:\Software\Xilisoft Video Converter Ultimate v7.6\Xilisoft Video Converter Ultimate v7.6.0.20121127 + Keygen\Xilisoft Video Converter Ultimate v7.6.0.20121127.tgz"
 


  • 0

#19
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Please re-run ESET as I did not give you the correct settings before.

 

  • Please go here and click on 1.JPG
  • Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
  • Please accept the ESET Online Scanner EULA and click Start.
  • If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
  • Make sure Enable detection of potentially unwanted applications is selected.
  • Click the Advanced Settings link.
  • Make sure Remove found threats IS checked.
  • Make sure Scan archives IS checked.
  • Make sure Scan for potentially unsafe applications IS checked.
  • Make sure Enable Anti-Stealth technology IS checked
  • 2.JPG
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the contents of the logfile located at C:\Program Files (x86)\ESET\Eset Online Scanner\log.txt
    Note: Copy/Paste the contents of the log.txt file BEFORE going on to the next step or the log file will be removed.
  • Also be sure to check Uninstall Application on Close before clicking finish.
  • Paste that log as a part of your next post.

  • 0

#20
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Hi,

 

I've not heard back from you. Have you run the scans? Do you still need help?


  • 0

#21
capercat

capercat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

hi, sorry have been away. yeap, it's all good now..thanks a lot again!


  • 0

#22
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Excellent! Glad to help :) :thumbsup:


  • 0

#23
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP