Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome Browser Keeps Displaying Random Ads & Blocks Certain Web Pages


  • This topic is locked This topic is locked
21 replies to this topic

#1 dongwonssamja

dongwonssamja

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 22 October 2016 - 02:28 PM

Hi guys,

 

I am using Windows 10 on my Samsung laptop, and I ended up downloading a corrupted file, which infected my computer.

Initially, none of my browsers (Chrome, Firefox, Internet Explorer) would even open up, so I downloaded several malware removal tools (rkill, malwarebytes, adwcleaner, CCleaner) and ran them.

My browser does open up now, but Chrome keeps displaying random advertisements throughout my net surfing and the virus is blocking me from accessing certain websites including here, bleepingcomputers.com. (Error Message: "The page cannot be displayed because an internal server error has occurred.") and even preventing Windows Defender from running. ("To allow this app to run, contact your security administrator to enable the program via group policy.")

What would be the necessary step I should take?

 

Thanks so much, everyone!

 

 

+++ I found a post that describes a very similar situation as mine: http://www.bleepingcomputer.com/forums/t/600467/random-ads-playing-in-chrome-browser-cannot-access-anti-spyware-software/

I will try to follow the instructions posted on the reply and see if there is any update.

Attached Files


Edited by dongwonssamja, 22 October 2016 - 03:25 PM.


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 22 October 2016 - 03:36 PM

Hello dongwonssamja and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

===================================================

 

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.Logs to include with next post:

AdwCleaner log
RKreport.txt
New Frst.txt
New Addition.txt


Thanks

Satchfan


Edited by satchfan, 22 October 2016 - 03:42 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 dongwonssamja

dongwonssamja
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 22 October 2016 - 04:08 PM

Thank you very much for your reply!

 

I have attached all four logs you requested. 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 22 October 2016 - 05:06 PM

Thanks for those. Let's get rid of what was found.

 

Re-run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished press the Delete button and post the log it produces.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 dongwonssamja

dongwonssamja
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 22 October 2016 - 05:52 PM

Just re-ran RogueKiller and deleted all detected threats!

 

It looks like six of them were successfully removed/replaced, while an error occurred for the last one :/

Attached Files


Edited by dongwonssamja, 22 October 2016 - 05:52 PM.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 23 October 2016 - 02:37 AM

That looks like it sorted out some issues. Let’s have a look with a different tool and then a new FRST log to see what’s left.

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.
 

  • on Windows Vista, 7/8, 10 right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyalltemp;
    emptyclsid;
    FFdefaults;
    iedefaults;
    chrdefaults;
    ipconfig /flushdns;b
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

================================================

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

zoek-results.log
New Frst.txt
New Addition.txt

 

Can you tell me how your computer is now and what remaining problems there are.

 

Thanks

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 dongwonssamja

dongwonssamja
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 October 2016 - 03:33 AM

I ran all three programs, but unfortunately, the same problem persists.
Chrome browser still will not let me access some of the web pages with the same error message ("The page cannot be displayed because an internal server error has occurred") and my Windows Defender is still down. ("To allow this app to run, contact your security administrator to enable the program via group policy.")

This might be due to the fact I had to reboot my computer after running zoek.exe?

I attached all three text files you requested, and thanks so much again for all your help!

Attached Files



#8 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 23 October 2016 - 03:42 AM

Can you tell me what you know about these:

(windows) C:\Program Files (x86)\knecht\unequivocally.exe
() C:\Program Files (x86)\flog\swapped.exe
() C:\Program Files (x86)\Cello\pride.exe

 

and

 

Programs\Startup\ok81454641
Programs\Startup\shamed


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 dongwonssamja

dongwonssamja
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 October 2016 - 03:51 AM

Hmm I have no idea!
Could those be the cause of corruption?
What would be the step to remove them?

#10 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 23 October 2016 - 03:53 AM

Thanks. I'll send a "fix" later but will be busy for an hour or so.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 23 October 2016 - 08:17 AM

P2P - I see you have P2P software, (uTorrent), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================

 

You need to move Farbar Recovery Scan Tool otherwise fixes will not work.

At the moment it is in C:\Users\HanSol PARK\Desktop\Malware.

  • using 'File Explorer', locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty space on your desktop, right-click and then Paste.

Farbar Recovery Scan Tool should now be directly on your desktop.

================================================
 

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
(windows) C:\Program Files (x86)\knecht\unequivocally.exe
() C:\Program Files (x86)\flog\swapped.exe
() C:\Program Files (x86)\Cello\pride.exe
HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\Run: [wessex] => C:\Program Files (x86)\flog\pickwick.exe [523264 2016-10-21] (unleash)
HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\Run: [chace] => C:\Program Files (x86)\Cello\pride.exe [516096 2016-10-21] ()
HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\Run: [swapped] => C:\Program Files (x86)\flog\swapped.exe [40331 2016-10-21] ()
HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\Run: [titmouse] => C:\Program Files (x86)\knecht\unequivocally.exe [185344 2016-10-21] (windows)
Startup: C:\Users\HanSol PARK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok81454641.lnk [2016-10-21]
ShortcutTarget: ok81454641.lnk -> C:\Program Files (x86)\knecht\unequivocally.exe (windows)
Startup: C:\Users\HanSol PARK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok81454641shamed.lnk [2016-10-21]
ShortcutTarget: ok81454641shamed.lnk -> C:\Program Files (x86)\Cello\pride.exe ()
Startup: C:\Users\HanSol PARK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shamed.lnk [2016-10-21]
ShortcutTarget: shamed.lnk -> C:\Program Files (x86)\knecht\unequivocally.exe (windows)
ProxyEnable: [S-1-5-21-2377441386-1568436963-1158331760-1002] => Proxy is enabled.
ProxyServer: [S-1-5-21-2377441386-1568436963-1158331760-1002] => http=127.0.0.1:8877;https=127.0.0.1:8877
ManualProxies: 1http=127.0.0.1:8877;https=127.0.0.1:8877
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll => No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL No File
2016-10-21 22:18 - 2016-10-22 15:09 - 00003848 _____ C:\WINDOWS\System32\Tasks\280260541
2016-10-21 22:18 - 2016-10-22 15:09 - 00003694 _____ C:\WINDOWS\System32\Tasks\180260541
2016-10-21 22:18 - 2016-10-21 22:18 - 00434960 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-10-21 20:41 - 2016-10-21 20:41 - 00003784 _____ C:\WINDOWS\System32\Tasks\Online Application Updater
2016-10-21 20:41 - 2016-10-21 20:41 - 00003722 _____ C:\WINDOWS\System32\Tasks\Online Application Guardian
2016-10-21 20:41 - 2016-10-21 20:41 - 00003716 _____ C:\WINDOWS\System32\Tasks\Online Application Guard
2016-10-21 20:41 - 2016-10-21 20:41 - 00003704 _____ C:\WINDOWS\System32\Tasks\Online Application
2016-10-21 20:41 - 2016-10-21 20:41 - 00000000 ____D C:\Users\HanSol PARK\AppData\Local\Tempfolder
2016-10-21 20:41 - 2016-10-21 20:41 - 00000000 ____D C:\Program Files (x86)\Microleaves
2016-10-21 20:40 - 2016-10-21 20:41 - 00000000 ____D C:\Users\HanSol PARK\AppData\Roaming\Microleaves
2016-10-21 20:40 - 2016-10-21 20:40 - 00000001 _____ C:\Users\HanSol PARK\AppData\Local\setupsuccessful.txt
2016-10-21 20:40 - 2016-10-21 20:40 - 00000000 _____ C:\TOSTACK
2016-10-21 20:39 - 2016-10-22 15:09 - 00004412 _____ C:\WINDOWS\System32\Tasks\a62502773
2016-10-21 20:39 - 2016-10-22 15:09 - 00004398 _____ C:\WINDOWS\System32\Tasks\b62502773
2016-10-21 20:39 - 2016-10-22 13:18 - 00003870 _____ C:\WINDOWS\System32\Tasks\dc17A0CiOsY8kVizvAA7Wy-ni-2016-10-21-ni-99991-ni-1
2016-10-21 20:39 - 2016-10-21 22:18 - 00004024 _____ C:\WINDOWS\System32\Tasks\ab17A0CiOsY8kVizvAA7Wy-ni-2016-10-21-ni-99991-ni-1
2016-10-21 20:39 - 2016-10-21 20:39 - 00000055 _____ C:\WINDOWS\key.ini
2016-10-21 20:38 - 2016-10-21 21:56 - 00000000 ____D C:\Program Files (x86)\knecht
2016-10-21 20:38 - 2016-10-21 21:51 - 00003712 _____ C:\WINDOWS\System32\Tasks\Da7618138876181388
2016-10-21 20:38 - 2016-10-21 20:40 - 00000000 _____ C:\Users\HanSol PARK\AppData\Local\stxtname.txt
2016-10-21 20:38 - 2016-10-21 20:39 - 00000000 ____D C:\Program Files (x86)\flog
2016-10-21 20:38 - 2016-10-21 20:39 - 00000000 ____D C:\Program Files (x86)\coles
2016-10-21 20:38 - 2016-10-21 20:38 - 00000000 ____D C:\Program Files (x86)\mossman
2016-10-21 20:38 - 2016-10-21 20:38 - 00000000 ____D C:\Program Files (x86)\Cello
2016-10-21 20:38 - 2016-10-21 20:38 - 00000000 _____ C:\Users\HanSol PARK\AppData\Local\run.txt
2016-10-21 16:31 - 2016-10-21 16:31 - 00192000 _____ C:\WINDOWS\dll.dll
2016-10-21 16:31 - 2016-10-21 16:31 - 00185344 _____ (windows) C:\WINDOWS\comparably.exe
2016-10-21 16:31 - 2016-10-21 16:31 - 00041201 _____ C:\WINDOWS\macdougall.exe
2016-10-21 16:31 - 2016-10-21 16:31 - 00008192 _____ (pepperidge) C:\WINDOWS\profound.exe
2016-10-21 16:31 - 2016-10-21 16:31 - 00007680 _____ (khufu) C:\WINDOWS\corvette.exe
2016-09-25 11:56 - 2015-02-27 23:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
2016-10-21 20:38 - 2016-10-21 20:38 - 0000000 _____ () C:\Users\HanSol PARK\AppData\Local\run.txt
2016-10-21 20:40 - 2016-10-21 20:40 - 0000001 _____ () C:\Users\HanSol PARK\AppData\Local\setupsuccessful.txt
2016-10-21 20:38 - 2016-10-21 20:40 - 0000000 _____ () C:\Users\HanSol PARK\AppData\Local\stxtname.txt
CustomCLSID: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002_Classes\CLSID\{b039d18d-c6c5-54f8-ace1-0b8fff1ed771}\InprocServer32 -> C:\Users\HanSol PARK\AppData\Roaming\NAVER\FileDownloader\npNDownloaderObj64_1_0_0_35.dll => No File
Task: {0668AD07-BBF6-49BB-AA61-69A772ACBE82} - System32\Tasks\Da7618138876181388 => C:\Program Files (x86)\Cello\pride.exe [2016-10-21] ()
Task: {0BC29D7B-352D-4FE0-9186-7C3AFDA417AE} - \SamsungLinkTray -> No File <==== ATTENTION
Task: {0DF5C851-57B7-4C76-A5AC-4431B3158C67} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {0FDB98C8-BFCD-456B-B52C-C0F0D3795F24} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {16293A6D-5C86-470D-A133-D6C0E083AC45} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {1BDE7A88-4CB8-46E8-9351-949102049592} - \{6B666A52-7B58-4242-95A7-2422C543DF58} -> No File <==== ATTENTION
Task: {1E148070-D480-4486-9C93-30DB883FF5AE} - System32\Tasks\a62502773 => C:\Program Files (x86)\knecht\unequivocally.exe [2016-10-21] (windows)
Task: {22E0A557-8083-436B-BEAB-1704C63DBF10} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {2784DF4E-1675-47D1-B7AA-7645DB160089} - \IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 -> No File <==== ATTENTION
Task: {33A7B41B-12E4-4B88-816C-2D68109744DF} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {35618AEC-BA08-45F9-81C8-44858CE7B1D7} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION
Task: {3B3D8757-351B-41F9-862C-E026BE744AE9} - System32\Tasks\b62502773 => C:\Program Files (x86)\flog\pickwick.exe [2016-10-21] (unleash)
Task: {3CDFDFAD-5705-4976-9DE4-638DBAD08DEB} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {462C0F6D-BC89-4AB1-B7E9-A59ACC133DEE} - System32\Tasks\ab17A0CiOsY8kVizvAA7Wy-ni-2016-10-21-ni-99991-ni-1 => C:\Program Files (x86)\knecht\unequivocally.exe [2016-10-21] (windows)
Task: {4846C12A-C41D-47CA-882A-A6E549686BFE} - \RTKCPL -> No File <==== ATTENTION
Task: {49697332-DCDC-466E-BE5B-CF521650553C} - \76181388 -> No File <==== ATTENTION
Task: {49F464E4-0E31-4720-9832-1599028D25BA} - \AdobeAAMUpdater-1.0-SAMSUNG-HanSol PARK -> No File <==== ATTENTION
Task: {54B0C013-5F3C-46DB-AF79-6D307F8BAE6D} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {5E285F23-BC5F-42CB-A663-83ED71547D1A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {5FC7708C-A320-4B2E-8810-B3591A2107EC} - \{7999F7F4-2C2C-4D16-B041-FD491D42E042} -> No File <==== ATTENTION
Task: {608AFE35-0E25-46C3-BD99-654C7104E3B8} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {669D3286-A4FF-436A-A82B-6067DCFAFE9F} - \ColorEngine -> No File <==== ATTENTION
Task: {6D3BAAC4-D053-4748-BB18-D89CC150CA7B} - \WPD\SqmUpload_S-1-5-21-2377441386-1568436963-1158331760-1002 -> No File <==== ATTENTION
Task: {7723014F-62CE-4DF6-BE8B-DC333E7C844E} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
Task: {884F80A1-7AA0-49E1-A172-5CFC66B58832} - \{4A92F3FB-07CE-4743-810B-91CABEE6CFC9} -> No File <==== ATTENTION
Task: {97CB710C-46D0-4E6C-82A5-FD1960508D09} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {990F1B66-969F-4C5A-88B6-E8152A05D35A} - System32\Tasks\dc17A0CiOsY8kVizvAA7Wy-ni-2016-10-21-ni-99991-ni-1 => C:\Program Files (x86)\knecht\unequivocally.exe [2016-10-21] (windows)
Task: {A6CCE7B8-756D-4DE4-B26B-E9C6A787AEA2} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {A70CC1C3-EA40-4684-B24C-80D7DF041F4C} - \User_Feed_Synchronization-{EE8727DE-0C1D-4B1B-966C-58010C798706} -> No File <==== ATTENTION
Task: {B0C7F033-6CFB-4D36-A80B-DAF603BB2D4F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {BED91F52-4185-49CC-BE86-FED3D84B07BB} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {C6B6B8FA-A1A5-4B35-91C9-482AE8E11D6D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {C77EA745-813D-4082-90B0-140AE6CD5FBE} - System32\Tasks\280260541 => C:\Program Files (x86)\flog\pickwick.exe [2016-10-21] (unleash) <==== ATTENTION
Task: {CECA9AD8-C2F8-4669-9AB5-DACDDC030759} - \Microsoft OneDrive Auto Update Task-S-1-5-21-2377441386-1568436963-1158331760-1002 -> No File <==== ATTENTION
Task: {D22CF6D8-CE82-4500-BE3F-42659AF26594} - System32\Tasks\180260541 => C:\Program Files (x86)\flog\pickwick.exe [2016-10-21] (unleash) <==== ATTENTION
Task: {D40096CB-A939-466E-9DB5-D919436F781D} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {D5D030A0-B00E-4722-A9D3-F675CC52220E} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {D6957BCF-F8ED-4CF4-B250-923C1A1A1905} - \Optimize Start Menu Cache Files-S-1-5-21-2377441386-1568436963-1158331760-1002 -> No File <==== ATTENTION
Task: {DA7C166A-7245-4C5E-9F84-C1200729097C} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {DB2AFF32-1DAD-46C6-B288-826B6D0128CE} - \IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon -> No File <==== ATTENTION
Task: {DCB09591-511C-4411-BC47-0B37EE994481} - \SAgent -> No File <==== ATTENTION
Task: {DFFC0618-D15A-47CF-B0A8-8B0363A0CA38} - \Optimize Start Menu Cache Files-S-1-5-21-2377441386-1568436963-1158331760-500 -> No File <==== ATTENTION
Task: {F633F760-7E85-4CE9-9E48-8DE6690992CF} - \ShutdownOpt -> No File <==== ATTENTION
Task: {F63FB4A5-BE6D-421B-BDE7-FA5C7A49E472} - \{ABF3AECC-2B2A-46A3-BC3A-7BA8DCE3BEB3} -> No File <==== ATTENTION
2016-10-21 16:31 - 2016-10-21 16:31 - 00205824 _____ () C:\Program Files (x86)\knecht\lib.dll
2016-10-21 16:31 - 2016-10-21 16:31 - 00313344 _____ () C:\Program Files (x86)\knecht\common.dll
2016-10-21 16:31 - 2016-10-21 16:31 - 00040331 _____ () C:\Program Files (x86)\flog\swapped.exe
2016-10-21 16:31 - 2016-10-21 16:31 - 00516096 _____ () C:\Program Files (x86)\Cello\pride.exe
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\banktown.com -> hxxp://cjb.banktown.com
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\bccard.com -> hxxp://www.bccard.com
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\citibank.co.kr -> hxxp://www.citibank.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\cu.co.kr -> hxxp://www.cu.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\daegubank.co.kr -> hxxp://banking.daegubank.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\epostbank.go.kr -> hxxp://www.epostbank.go.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\hanabank.com -> hxxp://www.hanabank.com
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\hanaskcard.com -> hxxp://www.hanaskcard.com
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\hksb.co.kr -> hxxp://www.hksb.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\hometax.go.kr -> hxxp://www.hometax.go.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\hsb.co.kr -> hxxp://banking.hsb.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\hyundaicard.com -> hxxp://www.hyundaicard.com
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\ibk.co.kr -> hxxp://mybank.ibk.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\jbbank.co.kr -> hxxp://www.jbbank.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\jeilbank.co.kr -> hxxp://banking.jeilbank.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\kbstar.com -> hxxp://kbstar.com
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\kdb.co.kr -> hxxp://www.kdb.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\keb.co.kr -> hxxp://ebank.keb.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\kfcc.co.kr -> hxxp://ibs.kfcc.co.kr
IE trusted site: HKU\S-1-5-21-2377441386-1568436963-1158331760-1002\...\kjbank.com -> hxxp://www.kjbank.com
C:\Users\HanSol PARK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok81454641.lnk
C:\Users\HanSol PARK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shamed.lnk
C:\Users\HanSol PARK\AppData\Local\run.txt
C:\Users\HanSol PARK\AppData\Local\setupsuccessful.txt
C:\Users\HanSol PARK\AppData\Local\stxtname.txt
CMD: ipconfig /flushdns
RemoveProxy:
Hosts:
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the “History” tab, the “Application Logs”
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

Logs to include with the next post:

Fixlog.txt
Mbam.txt


Can you tell me if there are any changes.

Satchfan


Edited by satchfan, 23 October 2016 - 08:36 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 dongwonssamja

dongwonssamja
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 October 2016 - 11:56 AM

I've uninstalled the P2P software, and ran the two programs.
 
My browser seems to work properly now! I can access the web pages I've been previously blocked from, including here, bleepingcomputer.com.
My only problem left would be the Windows Defender that I cannot run.
 
Below is the content of Mbam.txt.
--------------------------------------------------------------------------
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 10/23/2016
Scan Time: 11:40 AM
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.10.23.06
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: HanSol PARK
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 367905
Time Elapsed: 4 min, 7 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 4
Adware.Agent, HKLM\SOFTWARE\MICROSOFT\TRACING\ddnow_RASAPI32, Quarantined, [e5bd4c50930748eec7615ba19370d22e], 
Adware.Agent, HKLM\SOFTWARE\MICROSOFT\TRACING\ddnow_RASMANCS, Quarantined, [f8aad6c62179d660db4d11eb58ab36ca], 
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROLEAVES\Online Application Installer, Quarantined, [435f851734660a2ce68645caf01545bb], 
PUP.Optional.WebOptimum, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CBB7A1EB-D3C4-45A9-A5C9-EFB40A22BF7E}, Quarantined, [614163391b7fdc5aa04d55a825de847c], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Attached Files



#13 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 23 October 2016 - 02:18 PM

Well done - we’re getting there. :clapping:
 

Let's look at the remaining problem.

 

Run Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:


Internet Services
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • press "Scan".
  • it will create a log (FSS.txt) in the same directory the tool is run.
  • please copy and paste the log to your reply.

Thanks


Edited by satchfan, 23 October 2016 - 02:18 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 dongwonssamja

dongwonssamja
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 October 2016 - 04:25 PM

Below is the content of FSS.txt file
Thanks!
--------------------------------------------------------------------------------------------
 
Farbar Service Scanner Version: 27-01-2016
Ran by HanSol PARK (administrator) on 23-10-2016 at 16:22:54
Running from "C:\Users\HanSol PARK\Desktop"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#15 satchfan

satchfan

  • Malware Response Team
  • 2,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:37 PM

Posted 23 October 2016 - 05:49 PM

Launch Notepad, (type Notepad in the search box then click on it). Copy/paste all the quoted regedit below into it - don't forget to include Windows Registry Editor Version 5.00:


  • ’Save as’ Desktop, ‘File Name’ fixme.reg
  • ’Save as ‘Type’ All files
  • click Save

On the desktop, double-click fixme.reg and allow it to run. Let it merge

Reboot.

Can you tell me if you can enable Windows Defender.

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users