Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for FirstOffer100920151243

- - - - -
Started by Metallica , Sep 14 2015 08:52 AM

  • Please log in to reply
No replies to this topic

#1
Metallica
Posted 14 September 2015 - 08:52 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Content is republished with permission from Malwarebytes.

What is FirstOffer100920151243?

The Malwarebytes research team has determined that FirstOffer100920151243 is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.

How do I know if my computer is affected by FirstOffer100920151243?

You may see this entry in your list of installed software:

warning4.png

these browser add-ons:

warning1.png

warning2.png

and this Scheduled Task:

warning3.png

How did FirstOffer100920151243 get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove FirstOffer100920151243?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of FirstOffer100920151243?
  • No, Malwarebytes' Anti-Malware removes FirstOffer100920151243 completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the FirstOffer100920151243 hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

protection1.png


Technical details for experts

Signs in a HijackThis log:

O2 - BHO: firstOffer100920151243 Helper - {A26F2297-97A4-446C-bBC6-B74D3DE852E9} - C:\Program Files\firstOffer100920151243\Jufnaeml.dll
O23 - Service: 20CC74A6-8ED4-4A23-9FF2-7824E9CF254D - Unknown owner - C:\Program Files\firstOffer100920151243\Dybnh.exe
O23 - Service: csrcc - Unknown owner - C:\Program Files\firstOffer100920151243\csrcc.exe
O23 - Service: firstOffer100920151243 Updater - Unknown owner - C:\Program Files\firstOffer100920151243\Momjoon.exe
Possible signs in FRST logs:

 () C:\Program Files\firstOffer100920151243\csrcc.exe
 () C:\Program Files\firstOffer100920151243\Dybnh.exe
 () C:\Program Files\firstOffer100920151243\Momjoon.exe
 () C:\Program Files\firstOffer100920151243\Ymuukir.exe
 () C:\Program Files\firstOffer100920151243\Ymuukir64.exe
 HKLM\...\Run: [firstOffer100920151243] => C:\Program Files\firstOffer100920151243\Ymuukir.exe [429232 2015-09-10] ()
 HKLM\...\Run: [firstOffer10092015124364] => C:\Program Files\firstOffer100920151243\Ymuukir64.exe [460464 2015-09-10] ()
 HKLM\...\Run: [prtstart] => C:\Program Files\firstOffer100920151243\dr_inst.exe [139440 2015-09-10] ()
 BHO: firstOffer100920151243 -> {A26F2297-97A4-446C-bBC6-B74D3DE852E9} -> C:\Program Files\firstOffer100920151243\Jufnaeml64.dll [2015-09-10] ()
 BHO-x32: firstOffer100920151243 -> {A26F2297-97A4-446C-bBC6-B74D3DE852E9} -> C:\Program Files\firstOffer100920151243\Jufnaeml.dll [2015-09-10] ()
 FF user.js: detected! => C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\user.js [2015-09-14]
 FF HKLM\...\Firefox\Extensions: [{A26F2297-97A4-446C-bBC6-B74D3DE852E9}] - C:\Program Files\firstOffer100920151243\Firefox
 FF Extension: firstOffer100920151243 - C:\Program Files\firstOffer100920151243\Firefox [2015-09-14]
 FF HKLM-x32\...\Firefox\Extensions: [{A26F2297-97A4-446C-bBC6-B74D3DE852E9}] - C:\Program Files\firstOffer100920151243\Firefox
 R3 20CC74A6-8ED4-4A23-9FF2-7824E9CF254D; C:\Program Files\firstOffer100920151243\Dybnh.exe [281264 2015-09-10] ()
 R3 csrcc; C:\Program Files\firstOffer100920151243\csrcc.exe [1444528 2015-09-10] ()
 R2 firstOffer100920151243 Updater; C:\Program Files\firstOffer100920151243\Momjoon.exe [171184 2015-09-10] ()
 R1 cherimoya; C:\Windows\System32\drivers\cherimoya.sys [56736 2015-08-20] (Windows (R) Win 7 DDK provider)
 C:\Windows\System32\Tasks\Softal
 C:\Program Files\firstOffer100920151243
 (Windows (R) Win 7 DDK provider) C:\Windows\system32\Drivers\cherimoya.sys

AwesomeShoppers.com (HKLM\...\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}_is1) (Version: 2.0.0.480 - firstOffer)
Task: {84BDE46E-9E0B-4242-90F5-BB8A44B7EB95} - System32\Tasks\Softal => C:\Program Files\firstOffer100920151243\Teclous.bat [2015-09-10] ()
Alterations made by the installer:

File system details 
---------------------------------------------------
    Adds the folder C:\Program Files\firstOffer100920151243
       Adds the file csrcc.exe"="9/10/2015 12:49 PM, 1444528 bytes, A
       Adds the file dr_inst.exe"="9/10/2015 12:49 PM, 139440 bytes, A
       Adds the file Dybnh.exe"="9/10/2015 12:49 PM, 281264 bytes, A
       Adds the file Dymmo.dll"="9/10/2015 12:49 PM, 883376 bytes, A
       Adds the file Fugri.dll"="9/10/2015 12:49 PM, 287408 bytes, A
       Adds the file Fugri64.dll"="9/10/2015 12:49 PM, 293552 bytes, A
       Adds the file gcpum.dll"="9/10/2015 12:49 PM, 89264 bytes, A
       Adds the file Jufnaeml.dll"="9/10/2015 12:49 PM, 175280 bytes, A
       Adds the file Jufnaeml64.dll"="9/10/2015 12:49 PM, 214192 bytes, A
       Adds the file Momjoon.exe"="9/10/2015 12:49 PM, 171184 bytes, A
       Adds the file nfregdrv64.exe"="9/10/2015 12:49 PM, 123056 bytes, A
       Adds the file Ogamd.dll"="9/10/2015 12:49 PM, 616112 bytes, A
       Adds the file Ogamd64.dll"="9/10/2015 12:49 PM, 626864 bytes, A
       Adds the file Rogjaj.dll"="9/10/2015 12:49 PM, 239792 bytes, A
       Adds the file Rogjaj64.dll"="9/10/2015 12:49 PM, 273584 bytes, A
       Adds the file Teclous.bat"="9/10/2015 12:47 PM, 75 bytes, A
       Adds the file tree.js"="9/14/2015 3:36 PM, 352 bytes, A
       Adds the file Tuftir.dll"="9/10/2015 12:49 PM, 307888 bytes, A
       Adds the file Tuftir64.dll"="9/10/2015 12:49 PM, 332976 bytes, A
       Adds the file unins000.dat"="9/14/2015 3:36 PM, 102750 bytes, A
       Adds the file unins000.exe"="9/14/2015 3:36 PM, 725665 bytes, A
       Adds the file Ymuukir.exe"="9/10/2015 12:49 PM, 429232 bytes, A
       Adds the file Ymuukir64.exe"="9/10/2015 12:49 PM, 460464 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\Firefox
       Adds the file {A26F2297-97A4-446C-bBC6-B74D3DE852E9}.xpi"="9/10/2015 12:47 PM, 15271 bytes, A
       Adds the file chrome.manifest"="9/10/2015 12:47 PM, 338 bytes, A
       Adds the file icon.png"="5/12/2013 3:03 PM, 2424 bytes, A
       Adds the file install.rdf"="9/10/2015 12:47 PM, 857 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\Firefox\chrome\content
       Adds the file main.js"="9/10/2015 12:47 PM, 31473 bytes, A
       Adds the file main.xul"="9/10/2015 12:47 PM, 434 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\Firefox\chrome\content\libraries
       Adds the file DataExchangeScript.js"="9/10/2015 12:47 PM, 4298 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\Firefox\chrome\content\resources
       Adds the file LocalScript.js"="9/10/2015 12:47 PM, 4137 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\Firefox\chrome\locale\en-US
       Adds the file overlay.dtd"="12/25/2012 5:00 PM, 0 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\Firefox\chrome\skin
       Adds the file overlay.css"="12/25/2012 5:00 PM, 0 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\Firefox\defaults\preferences
       Adds the file defaults.js"="9/10/2015 12:47 PM, 164 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\libraries
       Adds the file DataExchangeScript.js"="9/10/2015 12:47 PM, 2329 bytes, A
    Adds the folder C:\Program Files\firstOffer100920151243\resources
       Adds the file LocalScript.js"="9/10/2015 12:47 PM, 4137 bytes, A
    In the existing folder C:\Windows\System32\drivers
       Adds the file cherimoya.sys"="8/20/2015 11:46 AM, 56736 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file Softal"="9/14/2015 3:36 PM, 3654 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AF1AD7EF-4A5A-404A-8742-B81473E545AF}]
       "LocalService"="REG_SZ", "20CC74A6-8ED4-4A23-9FF2-7824E9CF254D"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BFD65560-8705-4E79-9A8F-16181AA74432}]
       "(Default)"="REG_SZ", "Extension"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Jufnaeml.DLL
       "AppID"="REG_SZ", "{BFD65560-8705-4E79-9A8F-16181AA74432}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08ACFB57-8187-47f0-AF93-56360D03634A}]
       "Init"="REG_SZ", "true"
       "set"="REG_SZ", "1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}]
       "(Default)"="REG_SZ", "firstOffer100920151243"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\Implemented Categories]
       "(Default)"="REG_SZ", ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
       "(Default)"="REG_SZ", ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\InprocServer32]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243\Jufnaeml64.dll"
       "ThreadingModel"="REG_SZ", "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\ProgID]
       "(Default)"="REG_SZ", "Extension.Batnu.1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\Programmable]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\TypeLib]
       "(Default)"="REG_SZ", "{9AE7A6AE-162E-44c4-9A2B-A6B4EF19909D}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\VersionIndependentProgID]
       "(Default)"="REG_SZ", "Extension.Batnu"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.Batnu]
       "(Default)"="REG_SZ", "firstOffer100920151243"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.Batnu\CLSID]
       "(Default)"="REG_SZ", "{A26F2297-97A4-446C-bBC6-B74D3DE852E9}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.Batnu\CurVer]
       "(Default)"="REG_SZ", "Extension.Batnu.1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.Batnu.1]
       "(Default)"="REG_SZ", "firstOffer100920151243"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.Batnu.1\CLSID]
       "(Default)"="REG_SZ", "{A26F2297-97A4-446C-bBC6-B74D3DE852E9}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}]
       "(Default)"="REG_SZ", "ISG"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}\TypeLib]
       "(Default)"="REG_SZ", "{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}]
       "(Default)"="REG_SZ", "_ICSRCEvents"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020420-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}\TypeLib]
       "(Default)"="REG_SZ", "{14EF423E-3EE8-44AE-9337-07AC3F27B744}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DAC6610E-090F-4574-BE1E-E7B4495EB531}]
       "(Default)"="REG_SZ", "_ISGEvents"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DAC6610E-090F-4574-BE1E-E7B4495EB531}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020420-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DAC6610E-090F-4574-BE1E-E7B4495EB531}\TypeLib]
       "(Default)"="REG_SZ", "{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}]
       "(Default)"="REG_SZ", "IExtensionHelperObject"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}\TypeLib]
       "(Default)"="REG_SZ", "{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}]
       "(Default)"="REG_SZ", "ICSRC"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}\TypeLib]
       "(Default)"="REG_SZ", "{14EF423E-3EE8-44AE-9337-07AC3F27B744}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}\1.0]
       "(Default)"="REG_SZ", "csrccLib"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}\1.0\0\win32]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243\csrcc.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}\1.0\FLAGS]
       "(Default)"="REG_SZ", "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}\1.0\HELPDIR]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}\1.0]
       "(Default)"="REG_SZ", "guardsvcLib"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}\1.0\0\win32]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243\Dybnh.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}\1.0\FLAGS]
       "(Default)"="REG_SZ", "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}\1.0\HELPDIR]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}\1.0]
       "(Default)"="REG_SZ", "Extension 1.0 Type Library"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}\1.0\0\win32]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243\Jufnaeml.dll"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}\1.0\0\win64]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243\Jufnaeml64.dll"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}\1.0\FLAGS]
       "(Default)"="REG_SZ", "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}\1.0\HELPDIR]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08ACFB57-8187-47f0-AF93-56360D03634A}]
       "Init"="REG_SZ", "true"
       "set"="REG_SZ", "1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{654B1390-16DC-42DB-8612-B9EC98E0B12D}]
       "(Default)"="REG_SZ", "SG Class"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{654B1390-16DC-42DB-8612-B9EC98E0B12D}\LocalServer32]
       "(Default)"="REG_SZ", ""C:\Program Files\firstOffer100920151243\Dybnh.exe""
       "ServerExecutable"="REG_SZ", "C:\Program Files\firstOffer100920151243\Dybnh.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{654B1390-16DC-42DB-8612-B9EC98E0B12D}\Programmable]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{654B1390-16DC-42DB-8612-B9EC98E0B12D}\TypeLib]
       "(Default)"="REG_SZ", "{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{654B1390-16DC-42DB-8612-B9EC98E0B12D}\Version]
       "(Default)"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}]
       "(Default)"="REG_SZ", "CSRC Class"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32]
       "(Default)"="REG_SZ", ""C:\Program Files\firstOffer100920151243\csrcc.exe""
       "ServerExecutable"="REG_SZ", "C:\Program Files\firstOffer100920151243\csrcc.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\Programmable]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\TypeLib]
       "(Default)"="REG_SZ", "{14EF423E-3EE8-44AE-9337-07AC3F27B744}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\Version]
       "(Default)"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}]
       "(Default)"="REG_SZ", "firstOffer100920151243"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\Implemented Categories]
       "(Default)"="REG_SZ", ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
       "(Default)"="REG_SZ", ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\InprocServer32]
       "(Default)"="REG_SZ", "C:\Program Files\firstOffer100920151243\Jufnaeml.dll"
       "ThreadingModel"="REG_SZ", "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\ProgID]
       "(Default)"="REG_SZ", "Extension.Batnu.1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\Programmable]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\TypeLib]
       "(Default)"="REG_SZ", "{9AE7A6AE-162E-44c4-9A2B-A6B4EF19909D}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\VersionIndependentProgID]
       "(Default)"="REG_SZ", "Extension.Batnu"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}]
       "(Default)"="REG_SZ", "ISG"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}\TypeLib]
       "(Default)"="REG_SZ", "{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}]
       "(Default)"="REG_SZ", "_ICSRCEvents"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020420-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}\TypeLib]
       "(Default)"="REG_SZ", "{14EF423E-3EE8-44AE-9337-07AC3F27B744}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAC6610E-090F-4574-BE1E-E7B4495EB531}]
       "(Default)"="REG_SZ", "_ISGEvents"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAC6610E-090F-4574-BE1E-E7B4495EB531}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020420-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAC6610E-090F-4574-BE1E-E7B4495EB531}\TypeLib]
       "(Default)"="REG_SZ", "{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}]
       "(Default)"="REG_SZ", "IExtensionHelperObject"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}\TypeLib]
       "(Default)"="REG_SZ", "{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}]
       "(Default)"="REG_SZ", "ICSRC"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}\ProxyStubClsid32]
       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}\TypeLib]
       "(Default)"="REG_SZ", "{14EF423E-3EE8-44AE-9337-07AC3F27B744}"
       "Version"="REG_SZ", "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\firstOffer100920151243]
       "appID"="REG_SZ", "A26F2297-97A4-446C-bBC6-B74D3DE852E9"
       "channel_id"="REG_SZ", "amntusex-00-0"
       "install_time"="REG_SZ", "14-09-2015"
       "installer_name"="REG_SZ", "vbates_amntusex-00-0_.exe"
       "product_name"="REG_SZ", "firstOffer100920151243"
       "product_version"="REG_SZ", "2.0.0.480"
       "ToolbarID"="REG_SZ", "446e44ff63cc463b9606fb01e2d4c369"
       "version"="REG_SZ", "2.0.0.480"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}]
       "(Default)"="REG_SZ", "firstOffer100920151243 Helper"
       "NoExplorer"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
       "firstOffer100920151243"="REG_SZ", "C:\Program Files\firstOffer100920151243\Ymuukir.exe"
       "firstOffer10092015124364"="REG_SZ", "C:\Program Files\firstOffer100920151243\Ymuukir64.exe"
       "prtstart"="REG_SZ", "C:\Program Files\firstOffer100920151243\dr_inst.exe url=aHR0cDovL2Nkcy5zNm01bTlkNy5od2Nkbi5uZXQvYWRkb25fZm8vcHIvMTAwOTIwMTUvL3ByYzY0LmV4ZQ== lpath=QzpcUHJvZ3JhbSBGaWxlc1xmaXJzdE9mZmVyMTAwOTIwMTUxMjQzXHByYy5leGU= time=1 cl=LWluc3RhbGw="
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}_is1]
       "DisplayName"="REG_SZ", "AwesomeShoppers.com"
       "DisplayVersion"="REG_SZ", "2.0.0.480"
       "EstimatedSize"="REG_DWORD", 8033
       "HelpLink"="REG_SZ", "INJ_EXTENSION_PUBLISHER_URL"
       "Inno Setup: App Path"="REG_SZ", "C:\Program Files\firstOffer100920151243"
       "Inno Setup: Icon Group"="REG_SZ", "firstOffer100920151243"
       "Inno Setup: Language"="REG_SZ", "english"
       "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)"
       "Inno Setup: User"="REG_SZ", "{username}"
       "InstallDate"="REG_SZ", "20150914"
       "InstallLocation"="REG_SZ", "C:\Program Files\firstOffer100920151243\"
       "MajorVersion"="REG_DWORD", 2
       "MinorVersion"="REG_DWORD", 0
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "firstOffer"
       "QuietUninstallString"="REG_SZ", ""C:\Program Files\firstOffer100920151243\unins000.exe" /SILENT"
       "UninstallString"="REG_SZ", ""C:\Program Files\firstOffer100920151243\unins000.exe""
       "URLInfoAbout"="REG_SZ", "INJ_EXTENSION_PUBLISHER_URL"
       "URLUpdateInfo"="REG_SZ", "INJ_EXTENSION_PUBLISHER_URL"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
       "{A26F2297-97A4-446C-bBC6-B74D3DE852E9}"="REG_SZ", "C:\Program Files\firstOffer100920151243\Firefox"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\firstOffer100920151243
       "appID"="REG_SZ", "A26F2297-97A4-446C-bBC6-B74D3DE852E9"
       "channel_id"="REG_SZ", "amntusex-00-0"
       "install_time"="REG_SZ", "14-09-2015"
       "installer_name"="REG_SZ", "vbates_amntusex-00-0_.exe"
       "product_name"="REG_SZ", "firstOffer100920151243"
       "product_version"="REG_SZ", "2.0.0.480"
       "ToolbarID"="REG_SZ", "446e44ff63cc463b9606fb01e2d4c369"
       "version"="REG_SZ", "2.0.0.480"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}]
       "(Default)"="REG_SZ", "firstOffer100920151243 Helper"
       "NoExplorer"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
       "{A26F2297-97A4-446C-bBC6-B74D3DE852E9}"="REG_SZ", "C:\Program Files\firstOffer100920151243\Firefox"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList
       "PNP_TDI
        REG_BINARY, .................... ==> REG_BINARY, ......................
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\20CC74A6-8ED4-4A23-9FF2-7824E9CF254D]
       "DependOnService"="REG_MULTI_SZ, "RPCSS "
       "DisplayName"="REG_SZ", "20CC74A6-8ED4-4A23-9FF2-7824E9CF254D"
       "ErrorControl"="REG_DWORD", 1
       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\firstOffer100920151243\Dybnh.exe""
       "ObjectName"="REG_SZ", "LocalSystem"
       "Start"="REG_DWORD", 3
       "Type"="REG_DWORD", 16
       "WOW64"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cherimoya]
       "DisplayName"="REG_SZ", "cherimoya"
       "ErrorControl"="REG_DWORD", 1
       "Group"="REG_SZ", "PNP_TDI"
       "ImagePath"="REG_EXPAND_SZ, "system32\drivers\cherimoya.sys"
       "Start"="REG_DWORD", 1
       "Tag"="REG_DWORD", 10
       "Type"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\csrcc]
       "DependOnService"="REG_MULTI_SZ, "RPCSS "
       "DisplayName"="REG_SZ", "csrcc"
       "ErrorControl"="REG_DWORD", 1
       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\firstOffer100920151243\csrcc.exe""
       "ObjectName"="REG_SZ", "LocalSystem"
       "Start"="REG_DWORD", 3
       "Type"="REG_DWORD", 16
       "WOW64"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\firstOffer100920151243 Updater]
       "DisplayName"="REG_SZ", "firstOffer100920151243 Updater"
       "ErrorControl"="REG_DWORD", 0
       "ImagePath"="REG_EXPAND_SZ, "C:\Program Files\firstOffer100920151243\Momjoon.exe"
       "ObjectName"="REG_SZ", "LocalSystem"
       "Start"="REG_DWORD", 2
       "Type"="REG_DWORD", 16
       "WOW64"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\{6D0F720D-723F-4952-9477-7ABE06DD20FD}]
       "Name"="REG_SZ", "C:\Program Files\firstOffer100920151243\Ymuukir.exe"
    [HKEY_CURRENT_USER\Software\Classes\Software\{6D0F720D-723F-4952-9477-7ABE06DD20FD}]
       "Name"="REG_SZ", "C:\Program Files\firstOffer100920151243\Ymuukir.exe"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions]
       "{A26F2297-97A4-446C-bBC6-B74D3DE852E9}"="REG_BINARY, ............
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Stats\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}\iexplore]
       "Blocked"="REG_DWORD", 1
       "Count"="REG_DWORD", 1
       "Flags"="REG_DWORD", 0
       "Type"="REG_DWORD", 3
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/14/2015
Scan Time: 4:03 PM
Logfile: mbamFirstOffer.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.09.14.04
Rootkit Database: v2015.08.16.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350503
Time Elapsed: 31 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 5
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\csrcc.exe, 5240, Delete-on-Reboot, [a725f8374f3c64d243f58231b34e25db]
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Dybnh.exe, 6004, Delete-on-Reboot, [1fad052a7b10b77f9aa37a39ae53e020]
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Ymuukir.exe, 3292, Delete-on-Reboot, [0cc0af8094f746f0b08cb4ff748dfe02]
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Ymuukir64.exe, 2428, Delete-on-Reboot, [8d3fb27d1e6d11255c90f6d7d22fc937]
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Momjoon.exe, 6060, Delete-on-Reboot, [428a59d6612aa78fbc6f8744ad57926e]

Modules: 6
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Fugri.dll, Delete-on-Reboot, [f1dbfc331f6c75c18cd901b2010047b9], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Fugri.dll, Delete-on-Reboot, [f1dbfc331f6c75c18cd901b2010047b9], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Fugri.dll, Delete-on-Reboot, [f1dbfc331f6c75c18cd901b2010047b9], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Ogamd.dll, Delete-on-Reboot, [1cb077b8bad16bcb78c2e5ce9c6529d7], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Rogjaj.dll, Delete-on-Reboot, [05c79b946625b77f0f2ad1e23fc2718f], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Tuftir.dll, Delete-on-Reboot, [94387bb4d2b987af283bc6ede61b57a9], 

Registry Keys: 50
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\TYPELIB\{14EF423E-3EE8-44AE-9337-07AC3F27B744}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\INTERFACE\{A9582D7B-F24A-441D-9D26-450D58F3CD17}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\INTERFACE\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{A9582D7B-F24A-441D-9D26-450D58F3CD17}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{A9582D7B-F24A-441D-9D26-450D58F3CD17}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{14EF423E-3EE8-44AE-9337-07AC3F27B744}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{14EF423E-3EE8-44AE-9337-07AC3F27B744}, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\csrcc, Quarantined, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\TYPELIB\{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\INTERFACE\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\INTERFACE\{DAC6610E-090F-4574-BE1E-E7B4495EB531}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DAC6610E-090F-4574-BE1E-E7B4495EB531}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1FC74F9A-8B2E-4744-90BA-48606C6E9A3F}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DAC6610E-090F-4574-BE1E-E7B4495EB531}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{9A7E7B75-76D5-4B69-9FFA-8091B6904D91}, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\20CC74A6-8ED4-4A23-9FF2-7824E9CF254D, Quarantined, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\TYPELIB\{9AE7A6AE-162E-44c4-9A2B-A6B4EF19909D}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\INTERFACE\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{9AE7A6AE-162E-44c4-9A2B-A6B4EF19909D}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{9AE7A6AE-162E-44c4-9A2B-A6B4EF19909D}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\Extension.Batnu.1, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\Extension.Batnu, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\Extension.Batnu, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\Extension.Batnu, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{A26F2297-97A4-446C-BBC6-B74D3DE852E9}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{A26F2297-97A4-446C-BBC6-B74D3DE852E9}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\CLASSES\Extension.Batnu.1, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\Extension.Batnu.1, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A26F2297-97A4-446C-BBC6-B74D3DE852E9}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{A26F2297-97A4-446C-BBC6-B74D3DE852E9}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{A26F2297-97A4-446C-BBC6-B74D3DE852E9}, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, HKLM\SOFTWARE\CLASSES\CLSID\{A26F2297-97A4-446C-BBC6-B74D3DE852E9}\INPROCSERVER32, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SOFTWARE\firstOffer100920151243, Quarantined, [e1eb70bf2c5f69cd230237943bc9ea16], 
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Softal, Delete-on-Reboot, [9636d956b4d7e94ddd4906c5f21232ce], 
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\firstOffer100920151243, Quarantined, [24a8fa3597f41a1c56cfb615699b27d9], 
Rootkit.cherimoya.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\cherimoya, Quarantined, [438956d9bccf3df98c954fe1d3309e62], 
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\FIRSTOFFER100920151243 UPDATER, Quarantined, [428a59d6612aa78fbc6f8744ad57926e], 
PUP.Optional.Vbates.BrwsrFlsh, HKU\S-1-5-18\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}, Quarantined, [ac201718dab11d19f23117b4818341bf], 
PUP.Optional.Vbates.BrwsrFlsh, HKU\S-1-5-19\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}, Quarantined, [6864ca654c3fdb5be34052790400de22], 
PUP.Optional.Vbates.BrwsrFlsh, HKU\S-1-5-20\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}, Quarantined, [0ebea8877e0d81b5ba6952795ca8eb15], 
PUP.Optional.Vbates.BrwsrFlsh, HKCU\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}, Quarantined, [a6265cd3e6a581b538ebae1d12f230d0], 
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}_is1, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 

Registry Values: 14
PUP.Optional.Perion, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|firstOffer100920151243, C:\Program Files\firstOffer100920151243\Ymuukir.exe, Quarantined, [0cc0af8094f746f0b08cb4ff748dfe02]
PUP.Optional.Perion, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|firstOffer10092015124364, C:\Program Files\firstOffer100920151243\Ymuukir64.exe, Quarantined, [8d3fb27d1e6d11255c90f6d7d22fc937]
PUP.Optional.Perion, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|prtstart, C:\Program Files\firstOffer100920151243\dr_inst.exe url=aHR0cDovL2Nkcy5zNm01bTlkNy5od2Nkbi5uZXQvYWRkb25fZm8vcHIvMTAwOTIwMTUvL3ByYzY0LmV4ZQ== lpath=QzpcUHJvZ3JhbSBGaWxlc1xmaXJzdE9mZmVyMTAwOTIwMTUxMjQzXHByYy5leGU= time=1 cl=LWluc3RhbGw=, Quarantined, [0dbfe9463b50a88ee679a50ef70a718f]
PUP.Optional.Perion, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|{A26F2297-97A4-446C-BBC6-B74D3DE852E9}, C:\Program Files\firstOffer100920151243\Firefox, Quarantined, [eae20d220487e452dd59763d47ba13ed]
PUP.Optional.Perion, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|{A26F2297-97A4-446C-BBC6-B74D3DE852E9}, C:\Program Files\firstOffer100920151243\Firefox, Quarantined, [eae20d220487e452dd59763d47ba13ed]
PUP.Optional.Vbates, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}, Quarantined, [22aaf6390685f442e9e600e626dc59a7], 
PUP.Optional.Vbates, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}, Quarantined, [9735ce61028978be1bb4f0f6b949d62a], 
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\20CC74A6-8ED4-4A23-9FF2-7824E9CF254D|ImagePath, "C:\Program Files\firstOffer100920151243\Dybnh.exe", Quarantined, [9d2f82ade4a7df5758d3e5e66c9846ba]
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\csrcc|ImagePath, "C:\Program Files\firstOffer100920151243\csrcc.exe", Quarantined, [9537f43b058680b6ad7e7457f90bc040]
PUP.Optional.Vbates.BrwsrFlsh, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\firstOffer100920151243 Updater|ImagePath, C:\Program Files\firstOffer100920151243\Momjoon.exe, Quarantined, [428a59d6612aa78fbc6f8744ad57926e]
PUP.Optional.Vbates.BrwsrFlsh, HKU\S-1-5-18\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}|Name, C:\Program Files\firstOffer100920151243\Ymuukir.exe, Quarantined, [ac201718dab11d19f23117b4818341bf]
PUP.Optional.Vbates.BrwsrFlsh, HKU\S-1-5-19\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}|Name, C:\Program Files\firstOffer100920151243\Ymuukir.exe, Quarantined, [6864ca654c3fdb5be34052790400de22]
PUP.Optional.Vbates.BrwsrFlsh, HKU\S-1-5-20\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}|Name, C:\Program Files\firstOffer100920151243\Ymuukir.exe, Quarantined, [0ebea8877e0d81b5ba6952795ca8eb15]
PUP.Optional.Vbates.BrwsrFlsh, HKCU\SOFTWARE\{6D0F720D-723F-4952-9477-7ABE06DD20FD}|Name, C:\Program Files\firstOffer100920151243\Ymuukir.exe, Quarantined, [a6265cd3e6a581b538ebae1d12f230d0]

Registry Data: 0
(No malicious items detected)

Folders: 13
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243, Delete-on-Reboot, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\content, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\content\libraries, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\content\resources, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\locale, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\locale\en-US, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\skin, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\defaults, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\defaults\preferences, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\libraries, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\resources, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 

Files: 39
PUP.Optional.Shopperz.BrwsrFlsh, C:\WINDOWS\SYSTEM32\drivers\cherimoya.sys, Delete-on-Reboot, [6fecea2b9d3fab8e75b84eb9169273a2], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Fugri.dll, Delete-on-Reboot, [f1dbfc331f6c75c18cd901b2010047b9], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\csrcc.exe, Delete-on-Reboot, [a725f8374f3c64d243f58231b34e25db], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Dybnh.exe, Delete-on-Reboot, [1fad052a7b10b77f9aa37a39ae53e020], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Ymuukir.exe, Delete-on-Reboot, [0cc0af8094f746f0b08cb4ff748dfe02], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Ogamd.dll, Delete-on-Reboot, [1cb077b8bad16bcb78c2e5ce9c6529d7], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Rogjaj.dll, Delete-on-Reboot, [05c79b946625b77f0f2ad1e23fc2718f], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Tuftir.dll, Delete-on-Reboot, [94387bb4d2b987af283bc6ede61b57a9], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Ymuukir64.exe, Delete-on-Reboot, [8d3fb27d1e6d11255c90f6d7d22fc937], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\dr_inst.exe, Quarantined, [0dbfe9463b50a88ee679a50ef70a718f], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Jufnaeml64.dll, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Jufnaeml.dll, Quarantined, [eae20d220487e452dd59763d47ba13ed], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Users\{username}\Desktop\FirstOffer.exe, Quarantined, [3c90d55a5d2e4ee8e8f8e2fcbd44c53b], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Dymmo.dll, Quarantined, [5775e847692242f4112a2f847091de22], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Fugri64.dll, Delete-on-Reboot, [b51765caa0eb4ee871f55261936e10f0], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Ogamd64.dll, Delete-on-Reboot, [09c38ba4315a37ff0f536a4916ebdf21], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Rogjaj64.dll, Delete-on-Reboot, [9d2f58d7751682b40061bbf8fc05a15f], 
PUP.Optional.Perion, C:\Program Files\firstOffer100920151243\Tuftir64.dll, Delete-on-Reboot, [22aaa887d1baa09699cb872c946d1ae6], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Windows\System32\Tasks\Softal, Quarantined, [fece83acaae1dc5a28f9a724dd2743bd], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Momjoon.exe, Delete-on-Reboot, [428a59d6612aa78fbc6f8744ad57926e], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\gcpum.dll, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\nfregdrv64.exe, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Teclous.bat, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\tree.js, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\unins000.dat, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\unins000.exe, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome.manifest, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\icon.png, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\install.rdf, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\{A26F2297-97A4-446C-bBC6-B74D3DE852E9}.xpi, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\content\main.js, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\content\main.xul, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\content\libraries\DataExchangeScript.js, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\content\resources\LocalScript.js, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\locale\en-US\overlay.dtd, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\chrome\skin\overlay.css, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\Firefox\defaults\preferences\defaults.js, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\libraries\DataExchangeScript.js, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 
PUP.Optional.Vbates.BrwsrFlsh, C:\Program Files\firstOffer100920151243\resources\LocalScript.js, Quarantined, [8e3e0c231477f145e5bbc168a95a1be5], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements

Back to Malware Removal Guides and Tutorials


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Malware Removal Guides and Tutorials

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.