PDA

View Full Version : Web browsers hijacked



Sam Bos
13-06-2015, 11:35 AM
Hi there,

Lately all my web browsers seem to be getting hijacked. I mainly use Chrome but after seeing issues I check IE and Firefox as well (all installed on my PC) and the exhibit the same or similar issues.

I'll notice it when I open a browser - the homepage has been redirected to a different website, and the default search provider has also been changed.. So far it's been lucky searches, delta homes, v9.com. If I try to change the default homepage, it'll just revert back to the unwanted one. Also I'll find some sort of program has installed itself (looking at the list of installed Programs in Control Panel).

So far I've managed to clean it all up just by running Malwarebytes and Avast (the lucky searches one was a **** to get rid of) but it seems like every week there's a new one that's installed itself.

Opened up Chrome this morning to find the latest one (v9.com) so I thought I'd take a log of the Malwarebytes scan and HiJackThis and let you guys have a look.

Here is the Malwarebytes log (HiJackThis log is underneath). Thanks for your help!


================================================== ===

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 13/06/2015
Scan Time: 10:45:58 a.m.
Logfile: Malwarebytes 13062015.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.12.07
Rootkit Database: v2015.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Sam

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 381487
Time Elapsed: 35 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 7
PUP.Optional.SuperOptimizer.C, HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}, , [c0170cad0f7be650cb46830963a26d93],
PUP.Optional.SuperOptimizer.C, HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}, , [4b8c3b7e99f1280ed53d137945c053ad],
PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428A-92C9-0CFC28B9D1BF}, , [bb1c9d1ce6a43402c93e681b59ac718f],
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, , [6e69b900fb8f6bcb7799197331d47a86],
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, , [6b6c2c8d9bef181ecf4177152fd6ee12],
PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428A-92C9-0CFC28B9D1BF}, , [1cbb7c3d226849ed62a486fd798c52ae],
PUP.Optional.ProductSetup.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\PRODUCTSETUP, , [0bccf7c25238ea4c893c9dee8d7831cf],

Registry Values: 4
PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428a-92C9-0CFC28B9D1BF}|URL, http://www.v9.com/web?type=ds&ts=1433832589&from=zzgbkk123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c&q={searchTerms}, , [bb1c9d1ce6a43402c93e681b59ac718f]
PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428a-92C9-0CFC28B9D1BF}|FaviconURL, http://www.v9.com/favicon.ico?t=1, , [cc0b8039662472c4a265c7bc62a303fd]
PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{425ED333-6083-428a-92C9-0CFC28B9D1BF}|URL, http://www.v9.com/web?type=ds&ts=1433832589&from=zzgbkk123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c&q={searchTerms}, , [1cbb7c3d226849ed62a486fd798c52ae]
PUP.Optional.ProductSetup.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\PRODUCTSETUP|tb, 0Q2P2X1C1N1K0J2X2X1G1M1F2V, , [0bccf7c25238ea4c893c9dee8d7831cf]

Registry Data: 8
PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[f5e2bbfe9af061d5a83436ff6c9a2fd1]
PUP.Optional.V9.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[c90eaa0f59312412bc20eb4a09fd2ed2]
PUP.Optional.V9.A, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[22b55b5e17731c1af5e167ce7591c937]
PUP.Optional.V9.A, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[399ec4f56129a19534a2a88dd63013ed]
PUP.Optional.V9.A, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[a82f0cad8802ba7cb4225bda897d738d]
PUP.Optional.V9.A, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[ffd8cfea8406f44284523df861a55fa1]
PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[b91e7c3df19948ee30a6f93ce91d2ed2]
PUP.Optional.V9.A, HKU\S-1-5-21-3896505289-1607041351-1423294743-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Page_URL, http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c, Good: (www.google.com), Bad: (http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c),,[7562a910a7e373c3ca0c69ccae582ed2]

Folders: 1
FraudTool.YAC, C:\Program Files\Elex-tech\YAC, , [13c48a2fe2a8fc3a523cd0174ab960a0],

Files: 17
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B89.tmp, , [4196ceebf199a096308dad8eeb1734cc],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B9A.tmp, , [e3f4942554360a2c10ad7fbcff0348b8],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B9B.tmp, , [87509a1ff694b680e5d86ecd6f93748c],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1B9C.tmp, , [cd0ae6d378121b1b9429e85301010af6],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1BAC.tmp, , [23b4a4151c6ead892c91b18ac83a0bf5],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1BCC.tmp, , [439419a04149f73f4a73ab902ad8a759],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1C0C.tmp, , [4c8b12a7f991af87ecd184b7cf33b848],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1C2C.tmp, , [08cffdbc0c7ecb6b8b3243f8808225db],
FraudTool.YAC, C:\Users\Sam\AppData\Local\Temp\_@1C2D.tmp, , [e3f4bcfdc4c63105ba0356e58280ab55],
PUP.Optional.V9.A, C:\Users\Administrator\AppData\Roaming\Mozilla\Fir efox\Profiles\ml8bm2uc.default\searchplugins\V9.xm l, , [389f3c7d7b0f85b142912000659f8c74],
PUP.Optional.V9.A, C:\Users\Sam\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.v9.com_0.localstorage, , [389fc1f80189dc5abe3e9593ec18ab55],
PUP.Optional.V9.A, C:\Users\Sam\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.v9.com_0.localstorage-journal, , [409740795238e2542dcfd652b74de719],
PUP.Optional.V9.A, C:\Users\Administrator\AppData\Roaming\Mozilla\Fir efox\Profiles\ml8bm2uc.default\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[f7e0c3f62e5c7cba4f53d0b08383916f]
PUP.Optional.V9.A, C:\Users\Administrator\AppData\Roaming\Mozilla\Fir efox\Profiles\ml8bm2uc.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[f6e15b5ee7a3f541b90ca8d8877fbb45]
PUP.Optional.V9, C:\Users\Sam\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences, Good: ("session":{"restore_on_startup":5}}), Bad: ("session":{"restore_on_startup":4,"startup_urls":["http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c"]},"sync":{"remaining_rollback_tries":0}}), ,[8552f3c67416092dff7d384a81853bc5]
PUP.Optional.V9.A, C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profi les\7cwxdlv1.default\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[686f05b4a1e9c76f6042b6ca15f1a65a]
PUP.Optional.V9.A, C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profi les\7cwxdlv1.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c");), ,[65720faa35554beb2c99e0a0d036af51]

Physical Sectors: 0
(No malicious items detected)


(end)

================================================== ===

================================================== ===

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:15:40 a.m., on 13/06/2015
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16659)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Elex-tech\YAC\iSafeTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unified Remote\RemoteServer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RemotelessHelper\RemotelessHelper.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.e xe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Sam\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/?trackid=sp-006
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1433832589&from=mych123&uid=3219913727_67194_b07d422f&z=2b4f4575e19367792288a9bgez1cacab4cfo4wdt1c
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll
O2 - BHO: DVDVideoSoft.WebPageAdjuster - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Unified Remote v2] C:\Program Files\Unified Remote\RemoteServer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RemotelessHelper] "C:\Program Files\RemotelessHelper\RemotelessHelper.exe"
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3896505289-1607041351-1423294743-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [Unified Remote v2] C:\Program Files\Unified Remote\RemoteServer.exe (User '?')
O4 - HKUS\S-1-5-21-3896505289-1607041351-1423294743-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart (User '?')
O4 - S-1-5-21-3896505289-1607041351-1423294743-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 Startup: Dropbox.lnk = Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe (User '?')
O4 - Startup: Dropbox.lnk = Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: WinVista Create New Folder Script.ahk
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Program Files\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra 'Tools' menuitem: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
O9 - Extra 'Tools' menuitem: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Avast Antivirus (avast! Antivirus) - Avast Software s.r.o. - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: AvastVBox COM Service (AvastVBoxSvc) - Avast Software - C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: GSService - Unknown owner - C:\Windows\system32\GSService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iGroupTec Service (IGBASVC) - Unknown owner - C:\Program Files\Acer\Acer Bio Protection\BASVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YAC Service (iSafeService) - Elex do Brasil Participações Ltda - C:\Program Files\Elex-tech\YAC\iSafeSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TeamViewer 9 (TeamViewer9) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
O23 - Service: WACService - Wondershare - C:\Program Files\Wondershare\Wondershare Application Center\WACService.exe
O23 - Service: WinZiper service (winzipersvc) - Taiwan Shui Mu Chih Ching Technology Limited. - C:\Program Files\WinZipper\winzipersvc.exe

--
End of file - 11512 bytes


================================================== ===

Lawrence
13-06-2015, 12:02 PM
You have quite a bit of crap in there

Optional.SuperOptimizer http://malwaretips.com/blogs/super-optimizer-removal/ by running the tools here should also get FraudTool.YAC ,this is from YAC Cleaner which is bad,you will have this installed in your programs

Also run Junkware Removal Tool http://thisisudax.org/?p=1

Then run another Highjack this log and see what else is left to remove

Speedy Gonzales
13-06-2015, 03:21 PM
Run adwcleaner as well (https://toolslib.net/downloads/viewdownload/1-adwcleaner/). Click on scan wait for it to finish then click on clean then reboot

Tick these in hjt

O2 - BHO: (no name) - AutorunsDisabled - (no file)

These dont have to be in startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Disable this in ccleaner

O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR

Update Teamviewer its up to 10.x something now

This

O23 - Service: YAC Service (iSafeService) - Elex do Brasil Participações Ltda - C:\Program Files\Elex-tech\YAC\iSafeSvc.exe

May have installed all those fraudtool entries

Uninstall it

Chris Randal
14-06-2015, 09:10 AM
Google is your friend with this - I removed it from a relative's laptop this week.

Spybot finds it and I think Malwarebytes did too

Just be aware though that one of the fixes I found in Google requires a paid version of the tool to remove the bugs

wainuitech
14-06-2015, 10:57 AM
You dont need ANY paid software to remove those.

The reason it keeps returning is because its still installed someplace.

Generally those types of infections will be bundled with someother program that's installed, sometimes on purpose sometimes on their own. Unless you remove the program (S) and remove all signs from the add-ins on your browsers, as well as from the registry it WILL reinfect.

1st thing I'd be doing is dumping Avast - its useless.

Along with the programs Lawrence linked, use http://www.bleepingcomputer.com/download/roguekiller/ also run EEK in FULL scan mode after updating it https://www.emsisoft.com/en/software/eek/


Install a better Antivirus, Nod32 - set it to scan fully, NOT the default install. To Setup correctly there's a video I made and posted a while back, but heres the link https://vimeo.com/129336211

Also run Ccleaner to get rid of temp file as sometimes they will sit in there as well. Once all the above have been run ( could take all day) open Ccleaner, reg cleaner section and scan / remove the left overs.

Again -- If it reinfects then you have missed something. --- Enjoy :)

Lawrence
14-06-2015, 11:14 AM
Emsisoft Emergency Kit (EEK),if you think you have a clean system run Emsisoft Emergency Kit

It asks you if you want PUP's included before it's run,very surprising whats found(only delete what you have researched is bad)

beama
16-06-2015, 01:26 PM
beside all the good advice given above also right click on icon shortcut for your browser goto properties and check the path to the exe you may find a url tagged onto the end of the path to the executable ie
C:\Program Files (x86)\Mozilla Firefox\firefox.exe" www.xxxx.xx delete the url up untill the last " check all browser icons.

Sam Bos
20-06-2015, 11:46 PM
Thanks everyone, I ran through most of the suggestions above (apart from Rogue Killer - it kept blue-screening everytime I tried to run it).

But it all seems to be ok now, here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:46:44 p.m., on 20/06/2015
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16659)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unified Remote\RemoteServer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RemotelessHelper\RemotelessHelper.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.e xe
C:\Users\Sam\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/?trackid=sp-006
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.google.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Unified Remote v2] C:\Program Files\Unified Remote\RemoteServer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RemotelessHelper] "C:\Program Files\RemotelessHelper\RemotelessHelper.exe"
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Sam\AppData\Roaming\Spotify\SpotifyWebHel per.exe"
O4 - HKCU\..\Run: [Dropbox Update] "C:\Users\Sam\AppData\Local\Dropbox\Update\DropboxU pdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: WinVista Create New Folder Script.ahk
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Program Files\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Avast Antivirus (avast! Antivirus) - Avast Software s.r.o. - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: AvastVBox COM Service (AvastVBoxSvc) - Avast Software - C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iGroupTec Service (IGBASVC) - Unknown owner - C:\Program Files\Acer\Acer Bio Protection\BASVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TeamViewer 10 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer\TeamViewer_Service.exe
O23 - Service: WACService - Wondershare - C:\Program Files\Wondershare\Wondershare Application Center\WACService.exe

--
End of file - 8164 bytes

Speedy Gonzales
21-06-2015, 08:02 AM
Looks OK to me

Sam Bos
21-06-2015, 01:07 PM
Cool, thanks Speedy

Speedy Gonzales
21-06-2015, 01:38 PM
No probs