system
April 18, 2015, 4:03am
1
So, my father was trying to download some software to help him with accounting. He ended up somehow downloading and installing 6 softwares, none of which helped him with his accounting…
MBAM helped, and got rid of almost all of them,
However, there is still something. I found this “VOPackage.exe” in the folder AppData> Roaming which seems to be the problem.
Besides, every time I open google Chrome my start up page is advertising, and it won’t change, even if I go in settings and try to set google back as my start page.
please help.
system
April 18, 2015, 4:06am
2
This is how the startup page is.
And the name of the file.
Let me know how it is after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-1304123484-2936784365-3614486923-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
HKU\S-1-5-21-1304123484-2936784365-3614486923-1001\Software\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
HKU\S-1-5-21-1304123484-2936784365-3614486923-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
URLSearchHook: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001 - (No Name) - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - No File
URLSearchHook: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 - (No Name) - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll No File
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll No File
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001 -> No Name - {3EE8D0BE-F450-4EF2-97B9-AC2222D14DB3} - No File
Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {3EE8D0BE-F450-4EF2-97B9-AC2222D14DB3} - No File
Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
CHR Plugin: (Native Client) - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\42.0.2311.90\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\42.0.2311.90\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\42.0.2311.90\gcswf32.dll No File
CHR Plugin: (McAfee SiteAdvisor) - C:\Users\Juliana\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll No File
CHR Plugin: (McAfee SiteAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.240.7) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U24) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll No File
CHR Plugin: (RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
StartMenuInternet: Google Chrome - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\chrome.exe www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
StartMenuInternet: (HKLM) Opera.exe - C:\Program Files (x86)\Opera\Opera.exe www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
2015-04-13 19:32 - 2015-04-13 19:32 - 00000000 ____D () C:\Users\Public\Documents\PC Faster
2015-04-13 19:31 - 2015-04-11 10:02 - 01028584 _____ (ShenZhen Enode Techology co,.Ltd) C:\ProgramData\WeatherMini.exe
2015-04-13 19:28 - 2015-04-13 20:56 - 00000000 __SHD () C:\Windows\SysWOW64\AI_RecycleBin
2015-04-13 19:26 - 2015-04-13 19:26 - 02178872 _____ (Reason Software Company Inc.) C:\Users\Juliana\Downloads\ShouldIRemoveIt_Setup.exe
2015-04-13 18:41 - 2015-04-13 18:41 - 00003174 _____ () C:\Windows\System32\Tasks\{A192FDA5-FB39-4532-A895-B9D20BCCF198}
2015-04-11 10:03 - 2015-04-11 10:03 - 00000000 ____D () C:\Users\Public\Documents\Baidu Security
2015-04-11 09:53 - 2015-04-13 19:32 - 00003570 _____ () C:\Windows\System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633
2015-04-11 09:51 - 2015-04-11 09:51 - 00000000 ____D () C:\Users\Public\Documents\Baidu
2012-01-17 03:07 - 2012-01-17 03:07 - 0000000 _____ () C:\Users\Juliana\AppData\Local\{2E7EC876-164A-4C97-965B-12236FA58876}
2015-04-13 19:31 - 2015-04-11 10:02 - 1028584 _____ (ShenZhen Enode Techology co,.Ltd) C:\ProgramData\WeatherMini.exe
Task: {0F50301E-E2F4-46D6-A93B-208D917AF4E5} - System32\Tasks\{A192FDA5-FB39-4532-A895-B9D20BCCF198} => pcalua.exe -a C:\Users\Juliana\AppData\Roaming\mystartsearch\UninstallManager.exe -c -ptid=slbnew
Task: {8AF1700A-B28B-42BA-8C8E-6C94A10CCEB2} - System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633 => Cscript.exe "C:\ProgramData\Duplicaterecord.js" <==== ATTENTION
AlternateDataStreams: C:\Users\Juliana\Desktop\IELTS 2013.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Juliana\Desktop\IELTS 2013.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
C:\ProgramData\Duplicaterecord.js
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
system
April 18, 2015, 4:04pm
4
The start up page, it’s still not right…
And the file is still there at AppData>Roaming
D:
The entry in the registry is just an orphan and can do no harm at all
Does the start page problem only occur in chrome
system
April 18, 2015, 6:55pm
6
No!. It also happens in Internet Explorer
There are no other browsers, so it happens in 100% of them :-\
Could I have a fresh FRST scan please
Could you let me know the result of this please
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
R2 NetTcpHandler; C:\Users\Juliana\AppData\Roaming\NetService\netservice.exe [211824 2015-03-20] (QNT)
C:\Users\Juliana\AppData\Roaming\NetService
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
system
April 18, 2015, 9:41pm
10
done!
The start up page… sadly still there. In both chrome and IE
Is it the web page jogostempo that is the problem ?
system
April 18, 2015, 9:45pm
12
Well, if you tell me there is no malware, and that this page is not a sign that there is smth harmful, then I think it’s alright. Is that it?
No, it is just that a Brazilian ISP DNS has been hacked. What is your ISP http://g1.globo.com/tecnologia/noticia/2014/04/ataque-redireciona-clientes-da-net-para-virus-em-acesso-ao-google.html
The ISP is Virtua. It belongs to a major cable TV and Telephone company in Brasil called "NET". Their clients are counted by the millions. I don't know how many of them were configured to use the server that was compromised.
Apparently my computers were not instantly infected because only the first out of the two DNS servers on my DHCP’s default configuration was compromised. As this server was very very slow, it timed out more often than not. So the true DNS server asnwered many of the requests.
system
April 19, 2015, 8:00pm
14
wtf!!
Yes, that’s it. It explains why wasn’t anything working!
Does it work If I change my DNS?
OpenDNS is a good one https://store.opendns.com/setup/#/
Once you have that set up can you let me know how the system is
system
April 22, 2015, 1:19am
16
OK, so I changed the laptop’s DNS, but then figured out that my router’s DNS also need to be changed!
Except that, I don’t know how to do it :-[
I get to see the primary and secondary DNSs but can’t change them. print screen attached
It looks as though they are part of the firmware, so it is up to your ISP to fix the problem
Have the alerts ceased since using openDNS
system
April 22, 2015, 8:28pm
18
no, still the same.
So I’ll call them and see what can be done!
In case I manage to change my router’s DNS, should I use that same fixlist in FRST?
OK lets try something different
Run an FRST scan and select shortcut txt. Attach that log