Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Compromised Computer Notification from ISP


  • Please log in to reply
8 replies to this topic

#1 mongorian

mongorian

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 19 July 2016 - 11:19 AM

This is going to be a long one, sorry. Let me start by saying that I am a professional in the field (web systems engineer) so have a pretty good working knowledge of systems and networks.

 

I recently (6/28/16) received an email from my ISP (Cox) stating that they detected a ZBot infection from my network, due to access of a known C&C server. I inspected the email headers to ensure that the email did in fact come from Cox and it appears to be legitimate.

 

I can post the URL that they said my network had contacted, but was not sure if I should do that in this forum or not, given the stated rules. Since my systems are behind a router locally Cox was (obviously) not able to tell which system on my side this traffic came from, but I only have one personal Windows system running at the moment. There are also a few Android devices, a smart TV, and Xbox One.

 

We use OpenDNS (free version) for our DNS services here, and the OpenDNS server IPs are configured directly on the router. All devices within the network use DHCP and pull the correct IPs for DNS services from the router as expected (FYI -- router is a DLink DIR-655 on the latest firmware). I have confirmed that all of this still appears to be in place and that OpenDNS is recording queries coming through it. I also confirmed that the specific URL that Cox flagged was indeed seen in the OpenDNS logs on 6/28/16. This part seemed a little strange to me -- that Cox was able to determine that this URL was accessed even though the DNS resolution did not occur on Cox DNS servers. But I wrote this off to them doing some sort of packet inspection against the actual traffic to/from this server.

 

The particular URL that was flagged ended in a .br (Brazilian) domain. I am in the US and do not do ANY business with any .br sites or companies (AFAIK). So, I went ahead and blocked ALL .br domains through OpenDNS. Since then I have not seen the flagged domain come up in the DNS logs again (even as a blocked request); however, I have seen a great deal many other .br domains being blocked within OpenDNS as a result. And I see these repeat daily, except on days when I have my personal Windows PC shutdown for the day. These other domains appear to be mostly banking sites ending in .br, but none that I have any business with. When reviewing the OpenDNS logs I also saw a bunch of other foreign country addresses being resolved, so I went ahead blocked as many of those as I could as well.

 

Here is a list of all the country specific domain identifiers that I saw in the OpenDNS logs and subsequently set to always block in OpenDNS. This is not a complete list of country domains that I saw in those logs though, as the free version of OpenDNS only allows a finite amount of blocking to be defined.

 

-> .br .cz .de .eu .fr .hk .in .int .it .mx .ph .pl .pt .ru .tr .tw .us .za

 

Also, looking at OpenDNS stats, I seem to see a spike in the number of DNS requests every evening around 22:00 - 23:00. This is around the time (if not after) that we all go to sleep for the evening, so I would think there should not be much going on then.

 

I have Avast installed on my personal Windows PC and it is finding nothing. The ESET scanner running in Safe Mode with Networking also came up with nothing. But I have read the detection rate of this type of infection is fairly poor (abysmal is the word that was used). I also installed Malwarebytes, but not until after the fact. Malwarebytes reports the system as clean as well.

 

I am just about ready to give up and just reload the system drive entirely but I wanted to see if you all could confirm my suspicions that this PC is indeed the culprit.

 

I got the following from netstat just a few minutes ago (FYI -- "Genghis" is my PC's hostname)...

 

C:\WINDOWS\system32>netstat -sp tcp

TCP Statistics for IPv4

  Active Opens                        = 26942
  Passive Opens                       = 4603
  Failed Connection Attempts          = 755
  Reset Connections                   = 11856
  Current Connections                 = 23
  Segments Received                   = 2653071
  Segments Sent                       = 1434952
  Segments Retransmitted              = 55713

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:49909        Genghis:49910          ESTABLISHED
  TCP    127.0.0.1:49910        Genghis:49909          ESTABLISHED
  TCP    127.0.0.1:54317        Genghis:54318          ESTABLISHED
  TCP    127.0.0.1:54318        Genghis:54317          ESTABLISHED
  TCP    127.0.0.1:54320        Genghis:54321          ESTABLISHED
  TCP    127.0.0.1:54321        Genghis:54320          ESTABLISHED
  TCP    192.168.0.102:49680    sea13:http             ESTABLISHED
  TCP    192.168.0.102:56441    msnbot-65-52-108-207:https  ESTABLISHED
  TCP    192.168.0.102:59428    ec2-54-235-185-167:https  CLOSE_WAIT
  TCP    192.168.0.102:59429    ec2-54-235-185-167:https  CLOSE_WAIT
  TCP    192.168.0.102:59897    r-148-58-45-5:http     CLOSE_WAIT
  TCP    192.168.0.102:60746    ec2-54-235-185-167:https  CLOSE_WAIT
  TCP    192.168.0.102:61199    lax17s04-in-f37:https  TIME_WAIT
  TCP    192.168.0.102:61212    70.186.26.58:https     TIME_WAIT
  TCP    192.168.0.102:61213    70.186.26.52:https     TIME_WAIT
  TCP    192.168.0.102:61215    ec2-52-32-224-87:https  ESTABLISHED
  TCP    192.168.0.102:61216    70.186.26.55:https     ESTABLISHED
  TCP    192.168.0.102:61217    70.186.26.26:https     ESTABLISHED
  TCP    192.168.0.102:61218    70.186.24.56:https     ESTABLISHED
  TCP    192.168.0.102:61219    104.20.60.209:http     ESTABLISHED
  TCP    192.168.0.102:61220    8.25.207.134:http      ESTABLISHED
  TCP    192.168.0.102:61221    8.25.207.134:http      ESTABLISHED
  TCP    192.168.0.102:61222    8.25.207.134:http      ESTABLISHED
  TCP    192.168.0.102:61223    8.25.207.134:http      ESTABLISHED
  TCP    192.168.0.102:61224    8.25.207.134:http      ESTABLISHED
  TCP    192.168.0.102:61225    8.25.207.134:http      ESTABLISHED
  TCP    192.168.0.102:61228    70.186.25.8:http       TIME_WAIT
  TCP    192.168.0.102:61229    70.186.26.25:https     TIME_WAIT
  TCP    192.168.0.102:61230    70.186.26.25:https     TIME_WAIT
  TCP    192.168.0.102:61231    70.186.24.25:https     TIME_WAIT

 

 

I had a couple of browser windows open with reddit, youtube, and some Asus pages loaded at the time. I will restart this system after posting and rerun the above command and post the new results to see if that cleans up any of these connections.

 

 

Thanks in advance for your help with this!!

 



BC AdBot (Login to Remove)

 


#2 mongorian

mongorian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 19 July 2016 - 12:30 PM

Here is the same netstat command output following a fresh startup (taken about 5-10 minutes after startup to allow initial communications to settle down).

 

TCP Statistics for IPv4

  Active Opens                        = 381
  Passive Opens                       = 77
  Failed Connection Attempts          = 8
  Reset Connections                   = 101
  Current Connections                 = 8
  Segments Received                   = 22743
  Segments Sent                       = 16818
  Segments Retransmitted              = 475

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:49668        Genghis:49669          ESTABLISHED
  TCP    127.0.0.1:49669        Genghis:49668          ESTABLISHED
  TCP    127.0.0.1:49671        Genghis:49672          ESTABLISHED
  TCP    127.0.0.1:49672        Genghis:49671          ESTABLISHED
  TCP    192.168.0.102:49680    sea15:http             ESTABLISHED
  TCP    192.168.0.102:49824    msnbot-65-52-108-224:https  ESTABLISHED
  TCP    192.168.0.102:49928    ec2-54-235-185-167:https  CLOSE_WAIT
  TCP    192.168.0.102:49941    198.41.208.141:https   TIME_WAIT
  TCP    192.168.0.102:49952    104.16.108.25:https    TIME_WAIT
  TCP    192.168.0.102:50033    ec2-52-3-11-85:https   TIME_WAIT
  TCP    192.168.0.102:50035    ec2-52-3-11-85:https   TIME_WAIT
  TCP    192.168.0.102:50040    198.41.209.151:https   TIME_WAIT
  TCP    192.168.0.102:50041    198.41.209.150:https   TIME_WAIT
  TCP    192.168.0.102:50042    ec2-52-33-117-223:https  TIME_WAIT
  TCP    192.168.0.102:50043    ec2-52-33-117-223:https  TIME_WAIT
  TCP    192.168.0.102:50050    104.16.69.29:https     TIME_WAIT
  TCP    192.168.0.102:50055    104.16.3.9:https       TIME_WAIT
  TCP    192.168.0.102:50058    a23-206-168-241:http   TIME_WAIT
  TCP    192.168.0.102:50060    64.4.54.253:https      ESTABLISHED



#3 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 19 July 2016 - 06:30 PM

Adware Cleaner Scan.

 

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

JRT Scan.

Please download Junkware Removal Tool and save it on your desktop.

 

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.
  •  

Adware Removal Tool Scan.

 

Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.

 

 

LOr0Gd7.png

 

Hit Ok.

 

sYFsqHx.png

 

Hit next make sure to leave all items checked, for removal.

 

8NcZjGc.png

 

 

The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK again to finish up. Post log generated by tool.

 

ZHP Scan.

Please download Zhp Cleaner  to your desktop.  Right Click the icon and select run as administrator.

http://ccm.net/download/download-24750-zhpcleaner

 

 

2. Once you have started the program, you will need to click the scanner button.

EgsT69u.png

The program will close all open browsers!

3. Once the scan is completed, the you will want to click the Repair button.

6QJjV50.png

At the end of the process you may be asked to reboot your machine. After you reboot a report will open on your desktop.

Copy and paste the report here in your next reply.

 Zemana Scan

 

 

Run a full scan with Zemana AntiMalware!

Install and select deep scan.

jdmyscF.jpg

Remove any infections found.

Then click on the icon in the pic below.

DOLGyto.jpg

Double click on the scan log, copy and paste here in your reply



#4 mongorian

mongorian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 20 July 2016 - 09:06 AM

Thanks for the reply. FYI - This system is running Windows 10. The ZHP tool would not seem to load properly. When I run it (whether as administrator or not) it would come up with a small window that only had an "update" or "close" option. When I chose update I would get a popup in the bottom right corner that said download ZHP followed up another that said download complete, and then it just goes away.

Here are the logs for all of the other tools.

AdwCleaner:

C:\AdwCleaner\RegistryQuarantine\Quarantine.log...

HKLM\SOFTWARE\Classes\OCComSDK.ComSDK->C:\AdwCleaner\RegistryQuarantine\reg_jenbatsygf.reg
HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1->C:\AdwCleaner\RegistryQuarantine\reg_umiwaavcdn.reg
HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}->C:\AdwCleaner\RegistryQuarantine\reg_yijxtpqwgq.reg
HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}->C:\AdwCleaner\RegistryQuarantine\reg_eaoiaqkgsy.reg
HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}->C:\AdwCleaner\RegistryQuarantine\reg_gnqbztbhgv.reg
HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}->C:\AdwCleaner\RegistryQuarantine\reg_aijqrewloh.reg
HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}->C:\AdwCleaner\RegistryQuarantine\reg_jwblkfsrbe.reg
HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}->C:\AdwCleaner\RegistryQuarantine\reg_vqilctqciw.reg
HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}->C:\AdwCleaner\RegistryQuarantine\reg_hplbzchctb.reg
HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}->C:\AdwCleaner\RegistryQuarantine\reg_rampktsdyy.reg
HKCU\Software\APN PIP->C:\AdwCleaner\RegistryQuarantine\reg_bxuawibqun.reg
HKCU\Software\eSupport.com->C:\AdwCleaner\RegistryQuarantine\reg_eixewzrkcw.reg
HKCU\Software\PIP->C:\AdwCleaner\RegistryQuarantine\reg_qielteyzdp.reg
HKCU\Software\YahooPartnerToolbar->C:\AdwCleaner\RegistryQuarantine\reg_vkzcksjclt.reg
HKLM\SOFTWARE\PIP->C:\AdwCleaner\RegistryQuarantine\reg_wzyqlyfvhz.reg

C:\AdwCleaner\AdwCleaner[C1].txt...

# AdwCleaner v5.201 - Logfile created 19/07/2016 at 16:52:51
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-19.2 [Server]
# Operating system : Windows 10 Pro  (X64)
# Username : Jeremy - GENGHIS
# Running from : C:\Users\Jeremy\Downloads\adwcleaner_5.201.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\FoxTab

***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
[-] Key Deleted : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
[-] Key Deleted : HKCU\Software\APN PIP
[-] Key Deleted : HKCU\Software\eSupport.com
[-] Key Deleted : HKCU\Software\PIP
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKLM\SOFTWARE\PIP

***** [ Web browsers ] *****

[-] [C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\prefs.js] Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
[-] [C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\prefs.js] Deleted : user_pref("extensions.wrc.SearchRules.rambler.ru.url", "^hxxp\\:\\/\\/nova\\.rambler\\.ru\\/.+");
[-] [C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2471 bytes] - [19/07/2016 16:52:51]
C:\AdwCleaner\AdwCleaner[S1].txt - [2751 bytes] - [19/07/2016 16:48:29]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2617 bytes] ##########

C:\AdwCleaner\AdwCleaner[S1].txt...

# AdwCleaner v5.201 - Logfile created 19/07/2016 at 16:48:29
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-19.2 [Server]
# Operating system : Windows 10 Pro  (X64)
# Username : Jeremy - GENGHIS
# Running from : C:\Users\Jeremy\Downloads\adwcleaner_5.201.exe
# Option : Scan
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\FoxTab

***** [ Files ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
Key Found : HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\eSupport.com
Key Found : HKCU\Software\PIP
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\PIP
Key Found : HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\Software\APN PIP
Key Found : HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\Software\eSupport.com
Key Found : HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\Software\PIP
Key Found : HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\Software\YahooPartnerToolbar

***** [ Web browsers ] *****

[C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\prefs.js] Found : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
[C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\prefs.js] Found : user_pref("extensions.wrc.SearchRules.rambler.ru.url", "^hxxp\\:\\/\\/nova\\.rambler\\.ru\\/.+");
[C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com

*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [2599 bytes] - [19/07/2016 16:48:29]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2672 bytes] ##########

JRT:

Desktop\JRT.txt...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 10 Pro x64
Ran by Jeremy (Administrator) on Tue 07/19/2016 at 17:06:53.65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 07/19/2016 at 17:08:48.21
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adware Removal Tool:

Desktop\pre-clean.txt...

Adware.Youndoo ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage
Adware.Youndoo ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage-journal
Adware.Youndoo ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d3jdlwnuo8nsnr.cloudfront.net_0.localstorage
Adware.Youndoo ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d3jdlwnuo8nsnr.cloudfront.net_0.localstorage-journal
Adware.Conduit ->> File ->> C:\WINDOWS\Prefetch\UPDATECHECKER.EXE-B76D4BC6.pf
Adware.Youndoo ->> Registry Key ->> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ <RegKey:> d3e88uf3rot81d.cloudfront.net
Adware.Vosteran ->> Registry Key ->> HKEY_LOCAL_MACHINE\SOFTWARE\classes\CLSID\ <RegKey:> {6DDA37BA-0553-499A-AE0D-BEBA67204548}
Adware.Vosteran ->> Registry Key ->> HKEY_CLASSES_ROOT\CLSID\ <RegKey:> {6DDA37BA-0553-499A-AE0D-BEBA67204548}
PUP.anchorfree ->> Browser: Firefox ->> C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\prefs.js
Adware.Youndoo ->> Browser: Chrome ->> C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Preferences

Desktop\post-clean.txt...

[-] Deleted ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage
[-] Deleted ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage-journal
[-] Deleted ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d3jdlwnuo8nsnr.cloudfront.net_0.localstorage
[-] Deleted ->> File ->> C:\Users\Jeremy\Appdata\Local\Google\Chrome\User Data\Default\Local Storage\https_d3jdlwnuo8nsnr.cloudfront.net_0.localstorage-journal
[-] Deleted ->> File ->> C:\WINDOWS\Prefetch\UPDATECHECKER.EXE-B76D4BC6.pf
[-] Repaired ->> File ->> C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\prefs.js
[-] Repaired ->> File ->> C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Preferences
[-] Deleted ->> Registry Key ->> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d3e88uf3rot81d.cloudfront.net
[-] Deleted ->> Registry Key ->> HKEY_LOCAL_MACHINE\SOFTWARE\classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
[-] Deleted ->> Registry Key ->> HKEY_CLASSES_ROOT\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
 

 

ZHP:

 

Did not seem to run successfully. Auto-opened a website in another language (French?) upon exiting.

 

 

Zemana:

 

Deep Scan Log...

 

Zemana AntiMalware 2.21.2.139 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/7/19
Operating System       : Windows 10 64-bit
Processor              : 2X Intel® Core™2 Duo CPU   E8400 @ 3.00GHz
BIOS Mode              : Legacy
CUID                   : 1252B204A8F4F69F274C2A
Scan Type              : Deep Scan
Duration               : 14m 27s
Scanned Objects        : 248726
Detected Objects       : 2
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Firefox Search
Status             : Scanned
Object             : Food Network - Recipes - http://web.foodnetwork.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Firefox Search

Firefox Search
Status             : Scanned
Object             : Food Network - Recipes - http://web.foodnetwork.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Firefox Search


Cleaning Result
-------------------------------------------------------
Cleaned               : 2
Reported as safe      : 0
Failed                : 0
 

 

Let me know if you'd like me to try anything else with the ZHP tool that I couldn't get to run correctly, or with any other tools.

 

 

Thanks!



#5 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 20 July 2016 - 09:00 PM

Scan & Clean With Ads Fix

 

  • Disable Windows Defender & Antivirus Prior To Running This Tool!!
  • Save Ads Fix to your desktop.
  • Right Click & Run As Administrator.
  • You will then be prompted to install Certificates.
  • Install then click OK.
  • Right Click & Run As Administrator Again.
  • Click Options then select Unlock the deletion.
  • Then click on clean.

Reset Host File

 

 

  • Click here to download RstHosts v2.0
  • Save the file to your desktop.
  • Right Click and Run as Administrator.
  • Click on Restaurer, then click OK at the prompt.
  • This will restore the default host file.
  • Next Click on Creer Un Rapport.
  • This will open a logfile, post that in your next reply.

 

 

Pre_Scan

 

Please download Pre_Scan.

Save it to your desktop.

Disable your antivirus, and windows defender.

Close All open work Pre_Scan will close all processes to run.

Right Click Run as Admin.

Allow completion, when it completes the program will reboot your machine and open a log.

Please post that log here in your next reply.

 

 

 

9-Lab Scan.

 

  • Download 9-Lab Removal Tool.
  • CLICK HERE to determine whether you're running 32-bit or 64-bit for Windows.
  • Install the program onto your computer, then right click the icon  run as administrator.
  • Update the program and then run a full scan!
  • Make sure the program updates, might be better to install it update reboot and check for updates again.
  • You need to make sure the database updates!!!
  • Upon Scan Completion Click on Show Results.
  • Then Click On Clean 
  • Then Click on Save Log.
  • Save it to your desktop, copy and paste the contents of the log here in your next reply.


#6 mongorian

mongorian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 25 July 2016 - 06:01 PM

============== Ads Fix Log... ==============

 

---------- | AdsFix | g3n-h@ckm@n | 3_25.07.2016.1

----- Vista | 7 | 8 | 8.1 | 10 - 32/64 bits ----- Start 10:57:33 - 25/07/2016

update on : 25/07/2016 | 12.45 by g3n-h@ckm@n
Contact : http://www.sosvirus.net
Assistance : http://www.sosvirus.net/forum-virus-securite.html
Feedbacks : http://www.sosvirus.net/feedbacks-t75915.html
Facebook : https://www.facebook.com/AdsFixAntiAdware
C:\Users\Jeremy\Downloads\adsfix_3_25.07.2016.1.exe
Boot: Normal boot
[Jeremy (Administrator)] - [GENGHIS] -  (USA [0409])
SID = S-1-5-21-4163743241-2225681512-1622168612-1001 || [4a6572656d79205e5e]
PC : ASUSTeK COMPUTER INC. - Z170-A - SKU
Processor : X64 - 3504 - Intel® Core™ i5-6600K CPU @ 3.50GHz
Bios : American Megatrends Inc. - 03/24/2016 - V.1801
CoreTemp : 29.8 C

CPU #1 value:0 %
CPU #2 value:0 %
CPU #3 value:0 %
CPU #4 value:0 %
Total Overall CPU Usage value:0 %

System : Windows 10 Pro (64 bits) Professional
RAM memory = Total (MB) : 16691 | Free (MB) : 13784
Pagefile = Total (MB) : 17215 | Free (MB) : 14487
Virtual = Total (MB) : 4194 | Free (MB) : 3900

C:\ -> [Fixed] | [] | Total : 237.11 Go | Free : 168.32 Go -> NTFS (SSD) [SATA]
D:\ -> [Fixed] | [RAID1] | Total : 3725.82 Go | Free : 2706.07 Go -> NTFS [SATA]
E:\ -> [Fixed] | [RAID0] | Total : 1192.06 Go | Free : 190.89 Go -> NTFS [SATA]
X:\ -> [Fixed] | [Elements] | Total : 931.48 Go | Free : 52.22 Go -> NTFS [USB]

Registry saved, to restore :  Click on Options & Restore the register (C:\AdsFix\Save\Registry [25.07.2016 @ 10_57_33]) or an element
Restore files or folders deleted by mistake : Click on Options & Restore Files | Folders, Select an item >> "restore"

---------- | Windows Updates

---------- | Browsers

IE : 11.0.10586.494     (© Microsoft Corporation. All rights reserved.)
FF : 47.0.1.6018     (©Firefox and Mozilla Developers; available under the MPL 2 license.)
MS-Edge : 11.0.10586.494     (© Microsoft Corporation. All rights reserved.)

---------- | Security (atcav : 0)

FW :
WMI : OK
WU: Windows Update Service [Manual(3)] = Order
AS: Windows Defender [Manual(3)] = Order
FW: Windows FireWall Service [Auto(2)] = Started
WMI: Windows Management Instrumentation (System Information) [Auto(2)] = Started

---------- | FlashPlayer

ActiveX : 22.0.0.209
Plugin : 22.0.0.209

---------- | Killed processes

1216 | [Owner :  |Parent : 748(services.exe)] - (.NVIDIA Corporation - NVIDIA Driver Helper Service, Version 368.81.) - (8.17.13.6881) = C:\Windows\System32\nvvsvc.exe
1228 | [Owner :  |Parent : 748(services.exe)] - (.NVIDIA Corporation - Stereo Vision Control Panel API Server.) - (7.17.13.6881) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
1420 | [Owner :  |Parent : 1216()] - (.NVIDIA Corporation - NVIDIA User Experience Driver Component.) - (8.17.13.6881) = C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
1508 | [Owner :  |Parent : 748(services.exe)] - (.AMD - AMD External Events Service Module.) - (6.14.11.1122) = C:\Windows\System32\atiesrxx.exe
1536 | [Owner :  |Parent : 1508(atiesrxx.exe)] - (.AMD - AMD External Events Client Module.) - (6.14.11.1122) = C:\Windows\System32\atieclxx.exe
2076 | [Owner : LogonSessionId_0_182291 |Parent : 748(services.exe)] - (.Microsoft Corporation - Spooler SubSystem App.) - (10.0.10586.122) = C:\Windows\System32\spoolsv.exe
2244 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.ASUSTeK Computer Inc. -.) - (0.1.0.19) = C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
2252 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Adobe Systems Incorporated - Adobe Acrobat Update Service.) - (1.824.19.1728) = C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
2308 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Adobe Systems Incorporated - Adobe Update Service.) - (3.7.0.271) = C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
2316 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Adobe Systems, Incorporated - AGS Service.) - (2.6.0.81) = C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
2332 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.ASUSTeK Computer Inc. - ASUS Motherboard Fan Control Service.) - (1.0.1.4) = C:\Program Files (x86)\ASUS\AsusFanControlService\1.06.28\AsusFanControlService.exe
2348 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.-.) - (0.0.0.0) = C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe
2356 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.-.) - (0.0.0.0) = C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
2372 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.NVIDIA Corporation - NVIDIA GeForce ExperienceService.) - (2.11.4.0) = C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
2384 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Intel Corporation - RAID Monitor.) - (8.9.0.1023) = C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2400 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Microsoft Corporation - Microsoft Office Click-to-Run (SxS).) - (16.0.6925.1018) = C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
2524 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Intel Corporation - Intel® PROSet Monitoring Service.) - (20.2.4000.0) = C:\Windows\System32\IPROSetMonitor.exe
2592 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Marvell - Marvell Storage Service.) - (3.1.0.1) = C:\Program Files (x86)\Marvell\storage\svc\mvraidsvc.exe
2704 | [Owner : LogonSessionId_0_195596 |Parent : 748(services.exe)] - (.Microsoft Corporation - Message Queuing Service.) - (10.0.10586.0) = C:\Windows\System32\mqsvc.exe
2716 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Apache Software Foundation - Apache HTTP Server.) - (2.2.15.0) = C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe
2744 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.NVIDIA Corporation - NVIDIA Network Service.) - (2.4.13.69) = C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
2836 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.NVIDIA Corporation - NVIDIA Streamer Service.) - (7.1.2084.9592) = C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
2920 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.-.) - (0.0.0.0) = C:\ProgramData\TVersity\Media Server\MediaServer.exe
3156 | [Owner : LOCAL SERVICE |Parent : 572(svchost.exe)] - (.Microsoft Corporation - Device Association Framework Provider Host.) - (10.0.10586.0) = C:\Windows\System32\dasHost.exe
4968 | [Owner : SYSTEM |Parent : 2716()] - (.Apache Software Foundation - Apache HTTP Server.) - (2.2.15.0) = C:\Program Files (x86)\Marvell\storage\Apache2\bin\httpd.exe
5036 | [Owner : NETWORK SERVICE |Parent : 748(services.exe)] - (.NVIDIA Corporation - NVIDIA Network Stream Service.) - (7.1.2084.9592) = C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
7076 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Intel Corporation - IAStorDataSvc.) - (14.8.0.1042) = C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
1660 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Intel Corporation - Intel® Dynamic Application Loader Host Interface.) - (11.0.0.1173) = C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
6252 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Intel Corporation - Intel® Local Management Service.) - (11.0.0.1173) = C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
1248 | [Owner : SYSTEM |Parent : 748(services.exe)] - (.Intel Corporation - Intel® Security Assist.) - (1.0.0.532) = C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
7708 | [Owner : SYSTEM |Parent : 2836()] - (.NVIDIA Corporation - NVIDIA Streamer User Agent.) - (7.1.2084.9592) = C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
4976 | [Owner : Jeremy |Parent : 624(svchost.exe)] - (.Microsoft Corporation - Host Process for Windows Tasks.) - (10.0.10586.0) = C:\Windows\System32\taskhostw.exe
2784 | [Owner : Jeremy |Parent : 896(svchost.exe)] - (.Microsoft Corporation - Runtime Broker.) - (10.0.10586.0) = C:\Windows\System32\RuntimeBroker.exe
6940 | [Owner : Jeremy |Parent : 6816()] - (.NVIDIA Corporation - NVIDIA Backend.) - (20.16.6.0) = C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
4180 | [Owner : Jeremy |Parent : 1420()] - (.NVIDIA Corporation - NVIDIA Settings.) - (7.17.13.6881) = C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
4776 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.Realtek Semiconductor - Realtek HD Audio Manager.) - (1.0.546.0) = C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
5288 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.-.) - (2.1.0.0) = C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
2164 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.Microsoft Corporation - Microsoft OneDrive.) - (17.3.6390.509) = C:\Users\Jeremy\AppData\Local\Microsoft\OneDrive\OneDrive.exe
8288 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.Hewlett-Packard Co. - HP Digital Imaging Monitor.) - (140.0.297.0) = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
8360 | [Owner : SYSTEM |Parent : 776(winlogon.exe)] - (.Microsoft Corporation - Usermode Font Driver Host.) - (10.0.10586.420) = C:\Windows\System32\fontdrvhost.exe
8648 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.- MFManager.) - (1.5.0.6) = C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe
8728 | [Owner : Jeremy |Parent : 1864()] - (.Hewlett-Packard - hpwuSchd Application.) - (80.1.1.0) = C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
8876 | [Owner : Jeremy |Parent : 1864()] - (.Oracle Corporation - Java Update Scheduler.) - (2.8.91.14) = C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
9056 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.Canon INC. - EOS Utility.) - (0.1.7.0) = C:\Program Files (x86)\Canon\EOS Utility\EOS Utility.exe
9076 | [Owner : Jeremy |Parent : 1864()] - (.Adobe Systems Incorporated - Adobe Creative Cloud.) - (3.7.0.272) = C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
9128 | [Owner : Jeremy |Parent : 9076(Creative Cloud.exe)] - (.Adobe Systems Incorporated - Adobe IPC Broker.) - (5.2.0.49) = C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
9192 | [Owner : Jeremy |Parent : 1864()] - (.- MarvellTray.) - (1.3.0.8) = C:\Program Files (x86)\Marvell\storage\tray\MarvellTray.exe
8304 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.Microsoft Corporation - Send to OneNote Tool.) - (16.0.6965.2058) = C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
8528 | [Owner : Jeremy |Parent : 9076()] - (.Adobe Systems Incorporated - Creative Cloud.) - (3.7.0.272) = C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe
8612 | [Owner : Jeremy |Parent : 9076()] - (.Adobe Systems Incorporated - Adobe CEF Helper.) - (3.7.0.271) = C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
8700 | [Owner : Jeremy |Parent : 8528(Adobe Desktop Service.exe)] - (.- Core Sync.) - (2.2.0.256) = C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
2828 | [Owner : Jeremy |Parent : 8528(Adobe Desktop Service.exe)] - (.Adobe Systems Incorporated - CCXProcess.) - (1.3.0.237) = C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
9372 | [Owner : Jeremy |Parent : 624(svchost.exe)] - (.Samsung Electronics. - Samsung Magician Application.) - (4.5.1.65) = C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe
9912 | [Owner : Jeremy |Parent : 8528()] - (.Adobe Systems Incorporated - CCLibraries.) - (2.5.8.765) = C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\CCLibrary.exe
8932 | [Owner : Jeremy |Parent : 7848()] - (.Intel Corporation - IAStorIcon.) - (14.8.0.1042) = C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
9484 | [Owner : Jeremy |Parent : 748(services.exe)] - (.Microsoft Corporation - Host Process for Windows Services.) - (10.0.10586.0) = C:\Windows\System32\svchost.exe
9088 | [Owner : Jeremy |Parent : 896(svchost.exe)] - (.Microsoft Corporation - Host Process for Setting Synchronization.) - (10.0.10586.494) = C:\Windows\System32\SettingSyncHost.exe
6412 | [Owner : Jeremy |Parent : 896(svchost.exe)] - (.Microsoft Corporation - System Settings Broker.) - (10.0.10586.0) = C:\Windows\System32\SystemSettingsBroker.exe
1252 | [Owner : Jeremy |Parent : 8312(AvastUI.exe)] - (.Microsoft Corporation - CTF Loader.) - (10.0.10586.0) = C:\Windows\SysWOW64\ctfmon.exe

---------- | Tasks

Deleted successfully : Private Internet Access Startup


---------- | Services


---------- | AppCertDlls | AppInit_DLLs


---------- | DNSapi.dll

C:\WINDOWS\System32\dnsapi.dll : \drivers\etc\hosts
C:\WINDOWS\SysWOW64\dnsapi.dll : \drivers\etc\hosts

---------- | Hosts


---------- | SafeBoot


---------- | Winsock


---------- | DNS


---------- | Register

---------- | AdsFix | g3n-h@ckm@n | 3_25.07.2016.1

----- Vista | 7 | 8 | 8.1 | 10 - 32/64 bits ----- Start 11:14:29 - 25/07/2016

update on : 25/07/2016 | 12.45 by g3n-h@ckm@n
Contact : http://www.sosvirus.net
Assistance : http://www.sosvirus.net/forum-virus-securite.html
Feedbacks : http://www.sosvirus.net/feedbacks-t75915.html
Facebook : https://www.facebook.com/AdsFixAntiAdware
C:\Users\Jeremy\Downloads\adsfix_3_25.07.2016.1.exe
Boot: SafeMode with network
[Jeremy (Administrator)] - [GENGHIS] -  (USA [0409])
SID = S-1-5-21-4163743241-2225681512-1622168612-1001 || [4a6572656d79205e5e]
PC : ASUSTeK COMPUTER INC. - Z170-A - SKU
Processor : X64 - 3504 - Intel® Core™ i5-6600K CPU @ 3.50GHz
Bios : American Megatrends Inc. - 03/24/2016 - V.1801
CoreTemp : 29.8 C

CPU #1 value:0 %
CPU #2 value:0 %
CPU #3 value:0 %
CPU #4 value:0 %
Total Overall CPU Usage value:0 %

System : Windows 10 Pro (64 bits) Professional
RAM memory = Total (MB) : 16691 | Free (MB) : 15668
Pagefile = Total (MB) : 17215 | Free (MB) : 16318
Virtual = Total (MB) : 4194 | Free (MB) : 3922

C:\ -> [Fixed] | [] | Total : 237.11 Go | Free : 175.39 Go -> NTFS (SSD) [SATA]
D:\ -> [Fixed] | [RAID1] | Total : 3725.82 Go | Free : 2706.07 Go -> NTFS [SATA]
E:\ -> [Fixed] | [RAID0] | Total : 1192.06 Go | Free : 190.89 Go -> NTFS [SATA]
X:\ -> [Fixed] | [Elements] | Total : 931.48 Go | Free : 52.22 Go -> NTFS [USB]

Registry saved, to restore :  Click on Options & Restore the register (C:\AdsFix\Save\Registry [25.07.2016 @ 11_14_28]) or an element
Restore files or folders deleted by mistake : Click on Options & Restore Files | Folders, Select an item >> "restore"

---------- | Windows Updates

---------- | Browsers

IE : 11.0.10586.494     (© Microsoft Corporation. All rights reserved.)
FF : 47.0.1.6018     (©Firefox and Mozilla Developers; available under the MPL 2 license.)
MS-Edge : 11.0.10586.494     (© Microsoft Corporation. All rights reserved.)

---------- | Security (atcav : 0)

FW :
WMI : OK
WU: Windows Update Service [Manual(3)] = Order
AS: Windows Defender [Manual(3)] = Order
FW: Windows FireWall Service [Auto(2)] = Started
WMI: Windows Management Instrumentation (System Information) [Auto(2)] = Started

---------- | FlashPlayer

ActiveX : 22.0.0.209
Plugin : 22.0.0.209

---------- | Killed processes

1912 | [Owner : Jeremy |Parent : 772(svchost.exe)] - (.Microsoft Corporation - Runtime Broker.) - (10.0.10586.0) = C:\Windows\System32\RuntimeBroker.exe
1960 | [Owner : Jeremy |Parent : 1856(explorer.exe)] - (.Microsoft Corporation - CTF Loader.) - (10.0.10586.0) = C:\Windows\System32\ctfmon.exe
2500 | [Owner : Jeremy |Parent : 772(svchost.exe)] - (.Microsoft Corporation - Microsoft Help and Support.) - (10.0.10586.494) = C:\Windows\HelpPane.exe

---------- | Tasks

Deleted successfully : CreateExplorerShellUnelevatedTask


---------- | Services


---------- | AppCertDlls | AppInit_DLLs


---------- | DNSapi.dll

C:\WINDOWS\System32\dnsapi.dll : \drivers\etc\hosts
C:\WINDOWS\SysWOW64\dnsapi.dll : \drivers\etc\hosts

---------- | Hosts


---------- | SafeBoot


---------- | Winsock


---------- | DNS


---------- | Register

Deleted successfully : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SystemUsageReportSvc
Deleted successfully : HKLM\SOFTWARE\Microsoft\Tracing\TTSSoftwareUpdater_RASAPI32
Deleted successfully : HKLM\SOFTWARE\Microsoft\Tracing\TTSSoftwareUpdater_RASMANCS
Deleted successfully : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]~[C:\Users\Jeremy\Downloads\SoftwareUpdater-Setup-Web-v2.1.1.exe]
Deleted successfully : HKLM\SOFTWARE\Wow6432Node\WinPcap
Deleted successfully : HKLM\SOFTWARE\Wow6432Node\TTS
Deleted successfully : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]~[DefaultScope] : {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Deleted successfully : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]~[DefaultScope]
Deleted successfully : HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} : C:\Users\Jeremy\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Deleted successfully : HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77CB5E2F-1517-462E-9303-637B4A91A312} : 1
Deleted successfully : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Deleted successfully : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Deleted successfully : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B76FB1D834550AF4B91398F6C23DAAE6 : 02:\Software\TTS\TTS Software Updater\Version
Deleted successfully : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F05AE22F72D3DB34FB96BCA69F6FF708 :     [C:\WINDOWS\Installer\17597c.msi]
Deleted successfully : [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]~[C:\Program Files (x86)\TTS\Software Updater\]
Deleted successfully : [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]~[C:\Program Files (x86)\TTS\Software Updater\Docs\]
Deleted successfully : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst : (WinPcap 4.1.3) C:\Program Files (x86)\WinPcap\uninstall.exe

---------- | Folders | Files

Deleted successfully : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.1.3.lnk     (.-.)     
Deleted successfully : C:\Users\Jeremy\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico     (.-.)     
Deleted successfully : C:\Users\Jeremy\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{77CB5E2F-1517-462E-9303-637B4A91A312}.ico     (.-.)     
Deleted successfully : C:\Users\Jeremy\Downloads\SoftwareUpdater-Setup-Web-v2.1.1.exe     (Copyright © 2013 TTS.-.TTS Software Updater)     SoftwareUpdater-Setup-Web-v2.1.1.exe
Deleted successfully : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap
Deleted successfully : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TTS\Software Updater
Deleted successfully : C:\WINDOWS\System32\lokiplus_api.dll     (TODO: © <Company name>.  All rights reserved..-.TODO: <Product name>)     lokiplus_api.dll
Deleted successfully : C:\WINDOWS\System32\lt-LT
Deleted successfully : C:\WINDOWS\System32\lv-LV
Deleted successfully : C:\WINDOWS\System32\Macromed
Deleted successfully : C:\WINDOWS\System32\manifeststore
Deleted successfully : C:\WINDOWS\Installer\17597c.msi     (.-.)    [Package Install]
Deleted successfully : C:\ProgramData\DP45977C.lfl     (.-.)     
Deleted successfully : C:\ProgramData\ntuser.pol     (.-.)     
Deleted successfully : C:\ProgramData\Network_Meter_Data.csv     (.-.)     
Deleted successfully : C:\ProgramData\hpzinstall.log     (.-.)     
Deleted successfully : C:\ProgramData\boost_interprocess

---------- | .LNK


---------- | opening unknown extension


---------- | Proxy


---------- | Internet Explorer

Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Internet Explorer\Main]~[Search Page] : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01 -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Repaired : [HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]~[Local Page] : %11%\blank.htm -> C:\WINDOWS\System32\blank.htm
Repaired : [HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]~[Local Page] : %11%\blank.htm -> C:\WINDOWS\System32\blank.htm
Repaired : [HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main]~[Local Page] : C:\Windows\SysWOW64\blank.htm -> C:\WINDOWS\System32\blank.htm
Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter]~[Enabled] :  -> 2
Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter]~[EnabledV8] :  -> 1
Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet settings]~[WarNonBadCertReceving] :  -> 1
Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet settings]~[WarNonHTTPSToHTTPRedirect] :  -> 1
Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Microsoft\Internet Explorer\Toolbar]~[Locked] : 1 -> 0

---------- | Yandex



---------- | Google Chrome

Deleted successfully : HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Policies\Google
Deleted successfully : C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Web Data     (.-.)     Reseted successfully : SearchURL
Deleted successfully : C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Preferences     (.-.)     Reseted successfully : Preferences
Deleted successfully : C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences     (.-.)     Reseted successfully : Preferences

C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\aapocclcgogkmnckokdopfmhonfmgoek =  : Google & co - Google & co - https://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\aknpkdffaafgjchaibgeefbgmgeghloj =  :     __MSG_desc__ - http://chrome.angrybirds.com -     Angry Birds - [http://chrome.angrybirds.com] - https://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\aohghmighlieiainnegkcijnfilokake =  : Google & co - Google & co - https://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\apdfllckaahabafndbhieahigkjlhalf =  : Google & co - https://drive.google.com/?usp=chrome_app - Google & co - [http://docs.google.com/http://drive.google.com/https://docs.google.com/https://drive.google.com/] - https://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo =  : Google & co - http://www.youtube.com - http://www.youtube.com - Google & co - http://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\coobgpohoikkiipiblmjeljniedjpjpf =  : Google & co - http://www.google.com/webhp?source=search_app - Google & co - [*://www.google.com/search*://www.google.com/webhp*://www.google.com/imgres] - http://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\felcaaldnbdncclmgdcncolpebgiejap =  : Google & co - Google & co - https://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\gcbommkclmclpchllfjekcdonpmejbdp =  :     __MSG_about_ext_description__ -     __MSG_about_ext_name__ - permissions:[webNavigationwebRequestwebRequestBlockingtabscookiesstorage\u003Call_urls>] - http://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi =  :     __MSG_extDesc__ -     __MSG_extName__ - https://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\nmmhkkegccagdldgiimedpiccmgmieda =  : Google & co - Google & co - 203784468217.apps.googleusercontent.com - https://clients2.google.com/service/update2/crx
C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\extensions\pjkljhegncpnkpknbcohdijeoejaedia =  : Google & co - https://mail.google.com/mail/ca - Google & co - [*://mail.google.com/mail/ca] - http://clients2.google.com/service/update2/crx

---------- | Chromium



---------- | Comodo Dragon



---------- | Firefox

Deleted successfully : C:\Users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\wyonpda7.default\sessionstore.js     (.-.)     
Deleted successfully : C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\on1mupx5.default\sessionstore.js     (.-.)     
[Jeremy | x0jlbzgk.default] Replaced : user_pref("browser.startup.homepage", "about:home"); -> user_pref("browser.startup.homepage", "https://www.google.com");
[Jeremy | x0jlbzgk.default] Deleted successfully : user_pref("pref.privacy.disable_button.view_passwords", false);

C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\x0jlbzgk.default\Extensions\https-everywhere@eff.org =  :   HTTPS-Everywhere -  :   https://www.eff.org/https-everywhere

---------- | SeaMonkey



---------- | Pale moon



---------- | Opera



---------- | Spark



---------- | StartMenuInternet

Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]~[] : "C:\Users\Jeremy\AppData\Local\Google\Chrome\Application\chrome.exe" -> "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
Repaired : [HKLM\SOFTWARE\Clients\StartMenuInternet\IExplore.exe\shell\open\command]~[] : C:\Program Files\Internet Explorer\iexplore.exe -> "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Repaired : [HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]~[] : "C:\Users\Jeremy\AppData\Local\Google\Chrome\Application\chrome.exe" -> "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
Repaired : [HKLM\SOFTWARE\Clients\StartMenuInternet\SafeZoneStable\Shell\open\Command]~[] : "C:\Program Files\AVAST Software\SZBrowser\Launcher.exe" -> "C:\Program Files (x86)\AVAST Software\SZBrowser\Launcher.exe"
Repaired : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]~[] : "C:\Users\Jeremy\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser -> "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --make-default-browser
Repaired : [HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]~[] : "C:\Users\Jeremy\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser -> "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --make-default-browser
Repaired : [HKLM\SOFTWARE\Clients\StartMenuInternet\SafeZoneStable\InstallInfo]~[] : "C:\Program Files\AVAST Software\SZBrowser\Launcher.exe" --makedefaultbrowser -> "C:\Program Files (x86)\AVAST Software\SZBrowser\Launcher.exe" --makedefaultbrowser
Repaired : [HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet\Google Chrome\InstallInfo]~[] : "C:\Users\Jeremy\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser -> "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --make-default-browser
Repaired : [HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet\SafeZoneStable\InstallInfo]~[] : "C:\Program Files\AVAST Software\SZBrowser\Launcher.exe" --makedefaultbrowser -> "C:\Program Files (x86)\AVAST Software\SZBrowser\Launcher.exe" --makedefaultbrowser

---------- | Javascript


---------- | Firewall


---------- | ADS


Other(s) report(s)


Analyzed : 510347 | Modified : 19 | Deleted : 44

---------- |EOF| ---------- | 13:16:47 | [29 Ko]

 

 

Interestingly, after running Ads Fix, Zemana popped up with a hosts file hijack warning (and request to repair it) saying that the hosts file had been hidden. Zemana had not complained of this at all before this. I went ahead with the RstHosts app as instructed, and also let Zemana "repair" it. I have confirmed that I can see the hosts file and it is a stock (essentially empty) file.

 

============== The RstHosts log... ==============

 

-|x| RstHosts v2.0 - Rapport créé le 25/07/2016 à 14:35:47
-|x| Système d'exploitation : Windows 10 Pro  (64 bits)
-|x| Nom d'utilisateur : Jeremy - GENGHIS (Administrateur)

-|x|- Informations -|x|-

Emplacement : C:\WINDOWS\System32\drivers\etc\hosts
Attribut(s) : RASH
Propriétaire : Administrators - BUILTIN
Taille : 89 bytes
Date de création : 13/07/2009 - 19:34:48
Date de modification : 25/07/2016 - 14:35:36
Date de dernier accès : 25/07/2016 - 14:35:36

-|x|- Contenu du fichier -|x|-

# Fichier Hosts créé par RstHosts

127.0.0.1       localhost
::1             localhost

-|x|- E.O.F - C:\RstHosts.txt - 602 bytes -|x|-
 

 

 

============== Pre-Scan log... ==============

 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Pre_Scan | g3n-h@ckm@n | 6_20.07.2016.1 ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤ XP | Vista | 7 | 8 - 32/64 bits ¤¤¤¤¤ - Start 14:43:46

Updated 20/07/2016 | 00.20 by g3n-h@ckm@n
Contact : http://www.sosvirus.net/
Pre_scan Feedbacks : http://www.sosvirus.net/feedback-t74962.html

[Jeremy (Administrator)] - [GENGHIS]
SID = S-1-5-21-4163743241-2225681512-1622168612-1001

Boot: SafeMode with network
System : Windows 10 Pro (64 bits) Professional
ProcessorNameString : Intel® Core™ i5-6600K CPU @ 3.50GHz
Identifier : Intel64 Family 6 Model 94 Stepping 3
CoreTemp : 29.8 Celsius - Max : 119 Celsius

Memory RAM = Total (MB) : 16691 | Free (MB) : 15736
Pagefile = Total (MB) : 17215 | Free (MB) : 16400
Virtual = Total (MB) : 4194 | Free (MB) : 3903

¤¤¤¤¤¤¤¤¤¤ # Components of starting up


¤¤¤¤¤¤¤¤¤¤¤ # Drives

X:\-> [Fixed] | [Elements] | Total : 931.48 Go | Free : 52.22 Go -> NTFS [USB]
E:\-> [Fixed] | [RAID0] | Total : 1192.06 Go | Free : 190.89 Go -> NTFS [SATA]
D:\-> [Fixed] | [RAID1] | Total : 3725.82 Go | Free : 2706.07 Go -> NTFS [SATA]
C:\-> [Fixed] | [] | Total : 237.11 Go | Free : 163.18 Go -> NTFS (SSD) [SATA]

¤¤¤¤¤¤¤¤¤¤ # Windows updates

No detected update !!!

Microsoft : +


¤¤¤¤¤¤¤¤¤¤ # Sessions

C:\WINDOWS\system32\config\systemprofile
C:\WINDOWS\ServiceProfiles\LocalService
C:\WINDOWS\ServiceProfiles\NetworkService
C:\Users\Jeremy
C:\Users\Heather
C:\Users\Mcx1-GENGHIS
C:\Users\DefaultAppPool

Registry saved , to restore :  Shortcut on the desktop 'Pre_Scan_Restore' Restore the register (C:\Pre_Scan\Save\Registry [25.07.2016 @ 14_40_39])
To restore File or Folder : Shortcut on the desktop 'Pre_Scan_Restore' , select 'restore File - Folder' , select an Item and click on Restore

¤¤¤¤¤¤¤¤¤¤ # Browsers

IE : 11.0.10586.494     (© Microsoft Corporation.)
FF : 47.0.1.6018     (©Firefox and Mozilla Developers; available under the MPL 2 license.)

¤¤¤¤¤¤¤¤¤¤ # FlashPlayer


���������� # Security

AV : avast! Antivirus Enabled
AS : avast! Antivirus Enabled
FW :
WMI : OK
WU: Windows Update Service [Manual(3)] = stopped
AS: Windows Defender [Manual(3)] = stopped
FW: Windows FireWall Service [Auto(2)] = Running

¤¤¤¤¤¤¤¤¤¤ # Stopped processes

1740 | [Owner : Jeremy |Parent : 420] - (.Microsoft Corporation - Shell Infrastructure Host.) - (10.0.10586.0) = C:\Windows\System32\sihost.exe
1880 | [Owner : Jeremy |Parent : 1844] - (.Microsoft Corporation - Windows Explorer.) - (10.0.10586.494) = C:\Windows\explorer.exe
1984 | [Owner : Jeremy |Parent : 1880] - (.Microsoft Corporation - CTF Loader.) - (10.0.10586.0) = C:\Windows\System32\ctfmon.exe
2280 | [Owner : Jeremy |Parent : 772] - (.Microsoft Corporation - Microsoft Help and Support.) - (10.0.10586.494) = C:\Windows\HelpPane.exe
2436 | [Owner : Jeremy |Parent : 772] - (.Microsoft Corporation - Application Frame Host.) - (10.0.10586.0) = C:\Windows\System32\ApplicationFrameHost.exe

¤¤¤¤¤¤¤¤¤¤ # Winlogon user


¤¤¤¤¤¤¤¤¤¤ # Winlogon machine

Repaired : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]~[Shell] :  -> explorer.exe
Repaired : [HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]~[userinit] : C:\WINDOWS\system32\userinit.exe, -> C:\WINDOWS\SYSWOW64\userinit.exe,

¤¤¤¤¤¤¤¤¤¤ # SafeBoot

Safeboot Keys are O.K

Alternate shell is OK !




¤¤¤¤¤¤¤¤¤¤ # IFEO


¤¤¤¤¤¤¤¤¤¤ # Mountpoints2



Content of X:\autorun.inf :

[autorun]
open="" autoplay=true
ICON="autorun\wdlogo.ico"

¤¤¤¤¤¤¤¤¤¤ # Windows

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot]~[Shell] : SYS:Microsoft\Windows NT\CurrentVersion\Winlogon
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini]~[winlogon] : SYS:Microsoft\Windows NT\CurrentVersion\Winlogon
[HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot]~[Shell] : SYS:Microsoft\Windows NT\CurrentVersion\Winlogon

¤¤¤¤¤¤¤¤¤¤ # Security center




¤¤¤¤¤¤¤¤¤¤ # Services


Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\Compbatt]~[Start] :  -> 0
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\srService]~[Start] :  -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay]~[Start] : 3 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\Parvdm]~[Start] :  -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\NIHardwareService]~[Start] :  -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\lmhosts]~[Start] : 3 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\agp440]~[Start] : 0 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc]~[Start] :  -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\EapHost]~[Start] : 3 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc]~[Start] : 3 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]~[Start] : 4 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\windefend]~[Start] : 3 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]~[Start] : 3 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\wudfsvc]~[Start] : 3 -> 2
Repaired : [HKLM\SYSTEM\CurrentControlSet\Services\WerSvc]~[Start] : 3 -> 2

¤¤¤¤¤¤¤¤¤¤ # Internet Explorer


¤¤¤¤¤¤¤¤¤¤ # reparsepoint



¤¤¤¤¤¤¤¤¤¤ # Offsets


¤¤¤¤¤¤¤¤¤¤ # Files | Folders | Registry



Deleted : [HKU\S-1-5-21-4163743241-2225681512-1622168612-1001\Software\Microsoft\Windows\CurrentVersion\Run]~[OpenDNS Updater] : "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
Moved to quarantine successfully : C:\msdia80.dll

¤¤¤¤¤¤¤¤¤¤ # ADS


Prefetch -> cleaned


D:\ : Vaccinated (Vaccin created by Pre_Scan)
E:\ : Vaccinated (Vaccin created by Pre_Scan)
X:\AutoRun.inf : Deleted
X:\ : Vaccinated (Vaccin created by Pre_Scan)

���������� | Hidden files

~ [Drive D:] : Hidden : 2065 | Restored : 2065
~ [Drive E:] : Hidden : 2065 | Restored : 2065
~ [Drive X:] : Hidden : 2045 | Restored : 2045
~ [Drive C:] : Hidden : 3 | Restored : 3
~ [Program Files] : Hidden : 9 | Restored : 9
~ [Users] : Hidden : 2 | Restored : 2
~ [Searches] : Hidden : 2 | Restored : 2
~ [Windows] : Hidden : 63 | Restored : 59
~ [AppData] : Hidden : 35 | Restored : 35


¤¤¤¤¤¤¤¤¤¤ # Drives

 Disk: 0   Size=12.2T
 Pos MBRndx Type/Name  Size Active Hide Start Sector   Sectors
 --- ------ ---------- ---- ------ ---- ------------ ------------
  0    0    EE-UNKNWN  21.0T   No    No             1  294,967,295

¤¤¤¤¤¤¤¤¤¤

Repaired : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]~[AutoRestartShell] : 0 -> 1
Repaired : [HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]~[AutoRestartShell] :  -> 1

End : 15:00:30


¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤ - 191
 

 

 

============== The 9Lab log... ==============

 

9-lab Removal Tool 1.0.0.39 BETA
9-lab.com

Database version: 128.39590

Windows 8 (Version 6.2, Build 0, 64-bit Edition)
Internet Explorer 9.11.10586.0
Jeremy :: GENGHIS

7/25/2016 3:12:34 PM
9lab-log-2016-07-25 (15-12-34).txt

Scan type: Full
Objects scanned: 58030
Time Elapsed: 13 m 10 s

Registry Values detected: 1
Risk.Path [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command (Default)]


Files detected: 19
[28067F6FA3D50DB60E600B7FDE680AC5] Trojan.FPL.Rotbrow.vb [c:\users\jeremy\appdata\roaming\ZHP\Trace.txt]
[AF04DB736B9BBDF69A919DF957F2A074] Trojan.FPL.Rotbrow.vb [c:\users\jeremy\appdata\roaming\ZHP\ZHPCleaner.exe]
[9CEF63FDE7A3A91A747CEB26D00FCED3] Malware.Win32.Gen.sm [C:\Pre_Scan\smss.exe]
[74D9EB5588D8E591DC6BE27B9CA77A22] PUP.Downloader.vb!c [E:\Programs\Pandora_Recovery-BP-10694796.exe]
[832BB9A7E73E1C5953CC26654400BA12] Malware.Win32.Gen.cld [E:\Programs\Motherboard\motherboard_driver_lan_realtek_8111_vista.exe]
[832BB9A7E73E1C5953CC26654400BA12] Malware.Win32.Gen.cld [D:\Programs\Motherboard\motherboard_driver_lan_realtek_8111_vista.exe]
[74D9EB5588D8E591DC6BE27B9CA77A22] PUP.Downloader.vb!c [D:\Programs\Pandora_Recovery-BP-10694796.exe]
[43682C419165F10EB11BC7A25493C1A5] Malware.Win32.Gen.cld [E:\Programs\TVersitySetup_2_3.exe]
[43682C419165F10EB11BC7A25493C1A5] Malware.Win32.Gen.cld [D:\Programs\TVersitySetup_2_3.exe]
[832BB9A7E73E1C5953CC26654400BA12] Malware.Win32.Gen.cld [X:\RAID1_Backup\Programs\Motherboard\motherboard_driver_lan_realtek_8111_vista.exe]
[74D9EB5588D8E591DC6BE27B9CA77A22] PUP.Downloader.vb!c [X:\RAID1_Backup\Programs\Pandora_Recovery-BP-10694796.exe]
[5F1F296A5EDC6826F34B46225164CA2E] Virtool.Win32.Gen.24F5.sm!ff [C:\Program Files (x86)\IDTE-ID3 Tag Editor\Bin\IDTE.exe]
[C0551491D170A4A321BCA4F0ADBB91CC] Malware.Win32.Gen.cs0 [C:\Program Files (x86)\IDTE-ID3 Tag Editor\Bin\Configure.exe]
[3830A62DAB2CDF1236DF922010F20801] Malware.Win32.Gen.cs0 [C:\Program Files (x86)\IDTE-ID3 Tag Editor\Bin\Updater.exe]
[5D2884FD9BB5DD07BD6FD278A0289845] Malware.Win32.Gen.cs0 [C:\Program Files (x86)\IDTE-ID3 Tag Editor\IDTE.exe]
[93C516A5AE1736E96195BEE28A9A9AE7] Malware.Win32.Gen.cs0 [C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDTE-ID3 Tag Editor\IDTE-ID3 Tag Editor.lnk]
[0A170D9B50B29C5209248D95417C16DA] Malware.Win32.Gen.486E.sm!ff [C:\Users\Jeremy\Downloads\rsthosts_2.0.exe]
[7B686BAF4404271132219A505C936A4A] Cert2-Malware.Win32.Gen.cc!s1 [C:\Users\Jeremy\Downloads\Wireshark-win64-2.0.4.exe]
[58F7AE008538E3867A327956390D0470] Malware.Win32.Gen.cc!s1 [C:\Users\Jeremy\Downloads\ZHPCleaner-2015.8.13.324.exe]

 

At a glance, the 9Lab findings all (or mostly all) seem to be be false alerts of other scanners and cleaners.



#7 mongorian

mongorian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 25 July 2016 - 06:03 PM

Oh, also... somewhere along the way there, my start menu stopped working (won't open when clicked or the Windows key pressed on the keyboard), and the Windows 10 notifications are not viewable either (unresponsive to clicks).



#8 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 25 July 2016 - 06:20 PM

Malwarebytes Scan.

 

We need you to run MalwareBytes to get a log, please download the free version of MalwareBytes HERE

http://data-cdn.mbamupdates.com/web/mbam-setup-2.2.0.1024.exe  Alternate Link.

Save the file to somewhere you can easily find it. Double click the saved file to start the install, accept any security warnings that may appear, and after the install click the new desktop icon to start the program. We need to modify a couple of things with MalwareBytes before we use it so please follow the steps below.

  1. If the dashboard is not already displayed select it.
  2. Then select "Update Now" to get the latest database.

VSKiiIc.jpg

  1. Next we need to change a scanning option, select "Settings" on the main menu, then "Detection and Protection" on the left.
  2. Then select "Scan for rootkits" in the detection options, as well as the other two options already checked.

ZU4W2g2.jpg

  • Now return to Dashboard on the main menu and select "Scan Now" at the bottom of the screen.

nF8dOcq.jpg

  • Allow MalwareBytes to scan your system, it may take some time depending on what you have loaded onto your hard drive.

L8lsasM.jpg

When the scan is finished

  1. Click "Save Results"
  2. Then click on "Text file"

5x4JOvA.jpg

  • A window will then open allowing you to choose a name for the logfile and also allowing you to choose where to save it, save it to the desktop.
  • Please copy and paste the contents of this file in your next post.

 

 

Eset Online Scanner.

 

Eset Scan

Click Me To Download Eset Scan

Disable your antivirus prior to this scan.
 
 esetonlinebtn.png
 

  •  Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 

Minitoolbox scan.

 

 

Please download Minitoolbox and run it.



Checkmark following boxes:


Flush DNS
Reset FF proxy Settings
Reset Ie Proxy Settings
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List Devices (problems only)



Click Go and post the result.

 

Security Check Scan.

 

Download Security Check to your desktop, right click it run as administrator. When the program completes, the tool will automatically open a log file, please post that log here in your next post.



#9 mongorian

mongorian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 26 July 2016 - 11:41 AM

Thanks for the help, but this is too much effort at this point. I am going to just wipe and do a fresh install of Windows. I have been running Avast Free for years now, but have considered switching. Any suggestions on free AV better than Avast? Something without all the push to buy an upgrade that Avast comes with would be nice, but I wouldn't want to compromise effectiveness for this.

 

Unless you have a suggestion otherwise I will just stick with Avast for AV on the reload, but will add Zemana as well. I previously have run without separate malware protection installed.

 

This has certainly been educational, to say the least. Any other advice you can give me on better protecting the new system is appreciated too.

 

Thanks again for the assistance!!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users