VOPackage.exe

So, my father was trying to download some software to help him with accounting. He ended up somehow downloading and installing 6 softwares, none of which helped him with his accounting…

MBAM helped, and got rid of almost all of them,

However, there is still something. I found this “VOPackage.exe” in the folder AppData> Roaming which seems to be the problem.
Besides, every time I open google Chrome my start up page is advertising, and it won’t change, even if I go in settings and try to set google back as my start page.

please help.

This is how the startup page is.
And the name of the file.

Let me know how it is after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-1304123484-2936784365-3614486923-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 HKU\S-1-5-21-1304123484-2936784365-3614486923-1001\Software\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 HKU\S-1-5-21-1304123484-2936784365-3614486923-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 URLSearchHook: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001 - (No Name) - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - No File URLSearchHook: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 - (No Name) - {3ee8d0be-f450-4ef2-97b9-ac2222d14db3} - No File BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll No File BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll No File BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001 -> No Name - {3EE8D0BE-F450-4EF2-97B9-AC2222D14DB3} - No File Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {3EE8D0BE-F450-4EF2-97B9-AC2222D14DB3} - No File Toolbar: HKU\S-1-5-21-1304123484-2936784365-3614486923-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 CHR Plugin: (Native Client) - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\42.0.2311.90\ppGoogleNaClPluginChrome.dll No File CHR Plugin: (Chrome PDF Viewer) - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\42.0.2311.90\pdf.dll No File CHR Plugin: (Shockwave Flash) - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\42.0.2311.90\gcswf32.dll No File CHR Plugin: (McAfee SiteAdvisor) - C:\Users\Juliana\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll No File CHR Plugin: (McAfee SiteAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll No File CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File CHR Plugin: (Java Deployment Toolkit 6.0.240.7) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File CHR Plugin: (Java(TM) Platform SE 6 U24) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll No File CHR Plugin: (RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll No File CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File StartMenuInternet: Google Chrome - C:\Users\Juliana\AppData\Local\Google\Chrome\Application\chrome.exe www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 StartMenuInternet: (HKLM) Opera.exe - C:\Program Files (x86)\Opera\Opera.exe www.top8844.com?oem=mbtkv3&uid=60AEB53ZB_MK5065GSX&tm=1429185840 S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X] 2015-04-13 19:32 - 2015-04-13 19:32 - 00000000 ____D () C:\Users\Public\Documents\PC Faster 2015-04-13 19:31 - 2015-04-11 10:02 - 01028584 _____ (ShenZhen Enode Techology co,.Ltd) C:\ProgramData\WeatherMini.exe 2015-04-13 19:28 - 2015-04-13 20:56 - 00000000 __SHD () C:\Windows\SysWOW64\AI_RecycleBin 2015-04-13 19:26 - 2015-04-13 19:26 - 02178872 _____ (Reason Software Company Inc.) C:\Users\Juliana\Downloads\ShouldIRemoveIt_Setup.exe 2015-04-13 18:41 - 2015-04-13 18:41 - 00003174 _____ () C:\Windows\System32\Tasks\{A192FDA5-FB39-4532-A895-B9D20BCCF198} 2015-04-11 10:03 - 2015-04-11 10:03 - 00000000 ____D () C:\Users\Public\Documents\Baidu Security 2015-04-11 09:53 - 2015-04-13 19:32 - 00003570 _____ () C:\Windows\System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633 2015-04-11 09:51 - 2015-04-11 09:51 - 00000000 ____D () C:\Users\Public\Documents\Baidu 2012-01-17 03:07 - 2012-01-17 03:07 - 0000000 _____ () C:\Users\Juliana\AppData\Local\{2E7EC876-164A-4C97-965B-12236FA58876} 2015-04-13 19:31 - 2015-04-11 10:02 - 1028584 _____ (ShenZhen Enode Techology co,.Ltd) C:\ProgramData\WeatherMini.exe Task: {0F50301E-E2F4-46D6-A93B-208D917AF4E5} - System32\Tasks\{A192FDA5-FB39-4532-A895-B9D20BCCF198} => pcalua.exe -a C:\Users\Juliana\AppData\Roaming\mystartsearch\UninstallManager.exe -c -ptid=slbnew Task: {8AF1700A-B28B-42BA-8C8E-6C94A10CCEB2} - System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633 => Cscript.exe "C:\ProgramData\Duplicaterecord.js" <==== ATTENTION AlternateDataStreams: C:\Users\Juliana\Desktop\IELTS 2013.jpeg:3or4kl4x13tuuug3Byamue2s4b AlternateDataStreams: C:\Users\Juliana\Desktop\IELTS 2013.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} C:\ProgramData\Duplicaterecord.js

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

The start up page, it’s still not right…

And the file is still there at AppData>Roaming

D:

The entry in the registry is just an orphan and can do no harm at all

Does the start page problem only occur in chrome

No!. It also happens in Internet Explorer

There are no other browsers, so it happens in 100% of them :-\

Could I have a fresh FRST scan please

Absolutely.

Could you let me know the result of this please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: R2 NetTcpHandler; C:\Users\Juliana\AppData\Roaming\NetService\netservice.exe [211824 2015-03-20] (QNT) C:\Users\Juliana\AppData\Roaming\NetService Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

done!

The start up page… sadly still there. In both chrome and IE :frowning:

Is it the web page jogostempo that is the problem ?

Well, if you tell me there is no malware, and that this page is not a sign that there is smth harmful, then I think it’s alright. Is that it?

No, it is just that a Brazilian ISP DNS has been hacked. What is your ISP http://g1.globo.com/tecnologia/noticia/2014/04/ataque-redireciona-clientes-da-net-para-virus-em-acesso-ao-google.html

The ISP is Virtua. It belongs to a major cable TV and Telephone company in Brasil called "NET". Their clients are counted by the millions. I don't know how many of them were configured to use the server that was compromised.

Apparently my computers were not instantly infected because only the first out of the two DNS servers on my DHCP’s default configuration was compromised. As this server was very very slow, it timed out more often than not. So the true DNS server asnwered many of the requests.

wtf!!

Yes, that’s it. It explains why wasn’t anything working!

Does it work If I change my DNS?

OpenDNS is a good one https://store.opendns.com/setup/#/

Once you have that set up can you let me know how the system is

OK, so I changed the laptop’s DNS, but then figured out that my router’s DNS also need to be changed!

Except that, I don’t know how to do it :-[

I get to see the primary and secondary DNSs but can’t change them. print screen attached

It looks as though they are part of the firmware, so it is up to your ISP to fix the problem

Have the alerts ceased since using openDNS

no, still the same. :frowning:

So I’ll call them and see what can be done!

In case I manage to change my router’s DNS, should I use that same fixlist in FRST?

OK lets try something different

Run an FRST scan and select shortcut txt. Attach that log

here they are!