Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Default browser always opens bestprosoft.com on each boot up


  • This topic is locked This topic is locked
15 replies to this topic

#1 Johnny5478

Johnny5478

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 03 August 2016 - 07:11 AM

Hi. My previous Topic was here and a moderator boopme suggested me to post my problem here. So my laptop has a problem. It's always open that website with my default browser on each boot up. I have used Adwcleaner, Minitoolbox,TDSS, JRT and Eset online scanner to fix the problem, but unfortunately there is no effect.
I hope the problem can be fixed soon. Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 03 August 2016 - 08:30 AM

Hello Johnny5478 and welcome to Bleeping Computer.

You have illegal software on your system, (and it looks like maybe your operating system also), which is probably how your computer became infected. Besides being illegal, cracks/keygens are the most certain means of infecting your system, as ALL illegal software contains some form of malicious code.

This forum, as well as all the other well-respected malware removal forums, does not condone the use of illegal software. If you disregard this warning and become re-infected, we may not assist you the next time.

Please uninstall all the illegal software that you have downloaded and installed. When you have done this, run the following scan:

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Johnny5478

Johnny5478
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 03 August 2016 - 02:12 PM

Hello Johnny5478 and welcome to Bleeping Computer.

You have illegal software on your system, (and it looks like maybe your operating system also), which is probably how your computer became infected. Besides being illegal, cracks/keygens are the most certain means of infecting your system, as ALL illegal software contains some form of malicious code.

This forum, as well as all the other well-respected malware removal forums, does not condone the use of illegal software. If you disregard this warning and become re-infected, we may not assist you the next time.

Please uninstall all the illegal software that you have downloaded and installed. When you have done this, run the following scan:

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

Thanks

Satchfan

 

Hello Satchfan, thank you for answering my post.
I already know about the risk of illegal software, but my curiosity and financial gives me sometimes no choice but to install them in the past. I just don't want to argue about that so much, because it will bring many pro and contra. I also want to apologize if by helping me, it makes you feel uncomfortable.
So about the windows, you don't have to worry, it's OEM (upgraded to 10 from 8).
Here the log file you asking for (I have deleted most of the files and rescan, it's only contain a few files that being false positive detected)
 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\cryptool\cracklib_win32.dll
c:\program files (x86)\cryptool\words\cracklib-words
c:\program files (x86)\cryptool\words\cracklib_dict.hwm
c:\program files (x86)\cryptool\words\cracklib_dict.pwd
c:\program files (x86)\cryptool\words\cracklib_dict.pwi
c:\program files (x86)\pcsx2 1.4.0\pcsx2_keys.ini.default
c:\users\ali affandi\data\backup pc lama\backup\santa rockstar hd ost [gamerip]\06 march of the nutcracker.ogg
scanner sequence 3.FA.11.DVFNT0

NB : Cryptool is a tool that used in my university to demonstrate and learn about encryption, decryption.

Edited by Johnny5478, 03 August 2016 - 02:14 PM.


#4 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 03 August 2016 - 04:51 PM

Thanks for the explanation and the logs.

 

I'll look at the logs and send a reply as soon as I can but it's 10 50pm, (GMT). here and I have an early start so it will be in the morning some time.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Johnny5478

Johnny5478
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 03 August 2016 - 05:03 PM

Thanks for the explanation and the logs.

 

I'll look at the logs and send a reply as soon as I can but it's 10 50pm, (GMT). here and I have an early start so it will be in the morning some time.

 

Satchfan

No need to rush, take your time. I will be waiting.  :thumbup2:



#6 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 03 August 2016 - 05:14 PM

:guitar:


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 04 August 2016 - 07:03 AM

Hello again.


There is an entry that shows you have chosen to start Explorer without elevated privileges – is this something you’re aware of and if so, can you explain your reasoning for this?

================================================

Farbar Recovery Scan Tool is not on your desktop – this way, fixes will not work.

Please either move the original named FRST to your desktop, (which I don’t see in your logs), or download it again from here and save it on the desktop.

THEN

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
InternetURL: C:\Users\Ali Affandi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download Latest Windows 10 Permanent Activator Ultimate 2016.url -> URL: hxxp://bestprosoft.com/category/download-latest-best-professional-software-2016/
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <======= ACHTUNG
C:\Users\Ali Affandi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download Latest Windows 10 Permanent Activator Ultimate 2016.url
Toolbar: HKU\S-1-5-21-1993809284-1810740912-1198980261-1001 -> Kein Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  Keine Datei
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.2.15\coFFAddon => nicht gefunden
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.2.15\coFFAddon => nicht gefunden
2016-07-25 02:12 - 2016-07-28 16:17 - 00000000 ____D C:\Program Files\KMSpico
2016-07-25 02:12 - 2016-07-27 04:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico
2016-07-25 02:12 - 2016-07-25 02:12 - 00003476 _____ C:\WINDOWS\System32\Tasks\AutoPico Daily Restart
2016-07-17 19:36 - 2016-07-17 19:36 - 00000000 ____D C:\Users\Ali Affandi\AppData\Local\Tempzxpsign3ef199ccbc57a061
2016-07-17 19:36 - 2016-07-17 19:36 - 00000000 ____D C:\Users\Ali Affandi\AppData\Local\Tempzxpsign0cdf66f99a80129b
2016-07-05 13:17 - 2016-07-05 13:17 - 00000000 ____D C:\Users\Ali Affandi\AppData\Local\Tempzxpsignb6827b0cbcd2cd7e
2016-07-05 13:17 - 2016-07-05 13:17 - 00000000 ____D C:\Users\Ali Affandi\AppData\Local\Tempzxpsign39c2cb73476bbaa8
2013-10-01 15:10 - 2013-10-01 15:11 - 0000104 _____ () C:\ProgramData\{01FB4998-33C4-4431-85ED-079E3EEFE75D}.log
2013-10-01 15:11 - 2013-10-01 15:11 - 0000119 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2013-10-01 15:08 - 2013-10-01 15:09 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2013-10-01 15:07 - 2013-10-01 15:07 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2013-10-01 15:09 - 2013-10-01 15:10 - 0000108 _____ () C:\ProgramData\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}.log
2013-10-01 15:07 - 2013-10-01 15:08 - 0000110 _____ () C:\ProgramData\{E3739848-5329-48E3-8D28-5BBD6E8BE384}.log
2013-10-01 15:09 - 2013-10-01 15:09 - 0000110 _____ () C:\ProgramData\{E3D04529-6EDB-11D8-A372-0050BAE317E1}.log
CustomCLSID: HKU\S-1-5-21-1993809284-1810740912-1198980261-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-682F49B606F3}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => Keine Datei
Task: {03D8A70B-3A36-4445-BFD2-DD9C5AB7F4AC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Keine Datei <==== ACHTUNG
Task: {69AC7AA8-49D9-478C-BA5A-6A1D86C57F9F} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Keine Datei <==== ACHTUNG
Task: {6CF8D736-95D3-43E0-9008-7208CE24550C} - System32\Tasks\R@1n-KMS\Office16ProPlus => wmic
Task: {95AEFD54-07F8-471B-8DCF-21C09E26A6BE} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Keine Datei <==== ACHTUNG
Task: {B99C48E9-25B5-4F98-AF29-DBD816D047B1} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {BB2661C9-CAB9-4CE8-9FB1-07C2811CC2E3} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Keine Datei <==== ACHTUNG
Task: {EA9CF7E9-0386-4349-A2B8-BB216E8FF2BF} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe
Task: {FF923A23-038D-4B03-9587-0AF5FAA358E5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Keine Datei <==== ACHTUNG
AlternateDataStreams: C:\WINDOWS\system32\msln.exe:6682e7867abee96550a3c13962ee8fbc [290]
AlternateDataStreams: C:\ProgramData\Temp:D5FBE8F9 [334]
FirewallRules: [{10CB281C-525C-4097-8AB1-1D06CF8FAB51}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{D932F3D1-3680-4D95-9119-197CFB92A831}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
C:\Users\Ali Affandi\maxout_7348.dat
Reg: reg delete HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1 / v KMSpico /f
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
Hosts:
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST, (ie, on your desktop) – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

Fixlog.txt

New Frst.txt
New Addition.txt


Thanks

Satchfan


Edited by satchfan, 04 August 2016 - 08:22 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 Johnny5478

Johnny5478
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 05 August 2016 - 08:05 AM

Hi, sorry for the late reply. I can confirm that the problem has been resolved. But now I can't write anything in cortana search box with my keyboard, it's only work with virtual keyboard. I don't sure whether the problem caused by fixlist or because yesterday update for the new windows build (version 1604). Can you help me about this ?

There is an entry that shows you have chosen to start Explorer without elevated privileges – is this something you’re aware of and if so, can you explain your reasoning for this?

 
I don't understand, what do you mean by that ?
 

Farbar Recovery Scan Tool is not on your desktop – this way, fixes will not work.

Please either move the original named FRST to your desktop, (which I don’t see in your logs), or download it again from here and save it on the desktop.


It works. I put the fixlist.txt into the same folder as FRST located in desktop

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

Fixlog.txt
New Frst.txt
New Addition.txt


I have little problem here. The fixlog.txt was missing after I rescan my laptop with FRST or maybe because the new windows build update. So I can't attach the fixlog. Sorry

Attached Files


Edited by Johnny5478, 05 August 2016 - 08:50 AM.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 05 August 2016 - 12:25 PM

I can't write anything in cortana search box with my keyboard, it's only work with virtual keyboard.

That is nothing to do with the "fix" as we didn't touch any of those settings.

Open Task manager and stop the Cortana process; it should automatically start again and hopefully it'll work.

I haven't had time to have a detailed look at your logs but a brief glance looks like things are good.

Let me know if "search" is OK - if not we'll look at the settings.

Got to pop out now but be back later.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 Johnny5478

Johnny5478
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 05 August 2016 - 01:41 PM

Hmm, the windows update caused this problem then. I have tried to kill cortana and click it again, but still, no effect. 
BTW, I do some experiment by clicking all buttons on my keyboard in cortana and I found out that I can only type " ^ ° , + - / @ | ~ µ "  weird  :unsure:
Here is my keyboard layout :
Spoiler


#11 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 05 August 2016 - 04:59 PM

There are some .NLS, (National Language Support), files that have been created and a LOT that relate to the keyboard but I'm not clued up on all things "Windows" so I think you'd be better in our Windows forum. One thing I think it's safe to say is that the Windows update has upset your computer.

 

There was nothing in your logs to show any infections so if you're happy that your computer is clean, let me know and I'll give you a pointer to the Windows forum.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 Johnny5478

Johnny5478
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 August 2016 - 05:26 AM

Oh ok, you can lock this post as the problem has been resolved and thank you very much for spending your time to help me fix my laptop, I really appreciate your hard work.  :thumbsup: 
And about the windows forum, you don't have to worry, I have found it out.  :busy:


Edited by Johnny5478, 06 August 2016 - 05:31 AM.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 06 August 2016 - 07:50 AM

thank you very much for spending your time to help me fix my laptop

You're welcome.

 

Well done on sorting it. Can you tell me what you found out as it may help other Windows 10 users with the same problem.

 

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore

  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Update installed programs

Your version of Java is out-of-date and need to be removed and updated.

Having the latest updates and removing old versions ensures there are no security vulnerabilities in your system.
Uninstall these programs:


Java 8 Update 77 (64-bit)
jre1.8.0_92
Java 8 Update 92 (64-bit)

 

NEXT

Install the latest version of Java:

Java

NOTE – when you install Java, before clicking on Install, be sure to Uncheck “Install the Ask Toolbar and make Ask my default search provider”

Java.gif

Even though I just had you get the latest version of Java, there is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.

More information can be found here.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.


I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan

 


Edited by satchfan, 06 August 2016 - 08:04 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 Johnny5478

Johnny5478
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 August 2016 - 05:13 PM

Well done on sorting it. Can you tell me what you found out as it may help other Windows 10 users with the same problem.

What I meant by "found out" is not the solution of the problem, but the Windows forum that you mentioned before.  :P 
I already made a new topic here and also on Microsoft forum. As soon as I get the solution from Microsoft engineer, I will post it in this forum too. :thumbup2: 
 

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:


Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore

  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.


Done, thank you.

 


Edited by Johnny5478, 06 August 2016 - 05:15 PM.


#15 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:12 AM

Posted 07 August 2016 - 05:07 PM

You're welcome and thanks for the information.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users