Wonderlandads + Computer slowed + Internet slowed

Greetings, my name is Val. I would use a help for my computer problem.

 

Starting 2-3 days ago, i noticed that i got popups that says wonderlandads in the addressbar when i browsed 9gag. I thought 9gag needed more money so i didn't pay attention to it. But then i browsed porn site that is unrelated to 9gag, and i noticed that it also pop wonderlandads whenever i click ANYTHING (not just link). Then more site pop wonderlandads. But it never pop on anything personal like Facebook, Google, Youtube or Whatsapp web.

 

I then googled for solution. One of them directed me here. I tried some solution from other websites and from BC. There are no harmful extension installed on my Chrome and Opera (main browser), i installed MBAM, ADWcleaner, CCleaner, JRT, TFC. The problem still persist. After i installed MBAM my PC went crazy, startup took forever, opening everything is slow, and my PC constantly freeze that i had to hard-reset. I uninstalled MBAM, it's faster now, no freezing, but i still notice it's still low by a little.

 

Internet is slow, i only got 100 KB/s. It's only about 10% from my 10 mbps speed. I checked the speed on other machines (cellphone included) and it's still fast (1 MB/s, more or less reach the max speed of 10mbps).

 

One thing is certain: i always get do-search on chrome's favicon on ADWcleaner even if i repeat that scan over and over again.

 

Below is the log from Farbar FRST.txt:

 

 

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these old and unwanted programs via the Control Panel > Programs > Programs and features.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 17.0.0.124 - Adobe Systems Incorporated)
Java 8 Update 101 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Java SE Development Kit 8 Update 71 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180710}) (Version: 8.0.710.15 - Oracle Corporation)
KMSpico v9.3 (HKLM\...\KMSpico_is1) (Version: 9.3 - )
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.) <- if you use this program it's you call if you want to keep it or not.

Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1931751240-4059142664-1240906812-1000\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-21-1931751240-4059142664-1240906812-1000\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1931751240-4059142664-1240906812-1003\User: Restriction <======= ATTENTION
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Valentino\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-17]
CHR Extension: (Chrome Media Router) - C:\Users\Valentino\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-26]
S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [1006784 2014-06-22] (@ByELDI) [File not signed]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
Task: {8BDF46CA-8034-4707-B74D-76FEAD9190F4} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-06-22] (@ByELDI)
FirewallRules: [{397E3F72-5FD1-4669-9D22-117988ED9AF2}] => C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{A920E50A-C111-4BE2-A9B5-DCC063AE12DB}] => C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{1C6866F1-B4F3-4AA9-AE4B-5B04DCD3FAE2}] => C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{0B79660A-C99A-4EA7-B689-1300C0E2A7DD}] => C:\Program Files\KMSpico\Service_KMS.exe
C:\Users\Valentino\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Program Files\KMSpico
End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Opera.
http://www.guidingtech.com/25425/reset-chrome-firefox-safari-factory-defaults
+++

For your added security get the latest version.

JAVA

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===

ADOBE AIR

Navigate to this page and follow the instructions to get the latest version.
https://get.adobe.com/air/


Please post the Fixlog.txt and let me know what problem persists with this computer.

Thank you for quick response!

 

I will do what listed above and post the update.

I did what listed above. Removed java and air, haven't reinstall them. Reset browser setting. Problem still persists.

 

Fixlog.txt

 

--RogueKiller--

• Download & SAVE to your Desktop Download RogueKiller
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or above, right-click the program file and select "Run as Administrator"
• Accept the user agreements.
• Execute the scan and wait until it has finished.
• If a Windows opens to explain what [PUM's] are, read about it.
• Click the RoguKiller icon on your taksbar to return to the report.
• Click open the Report
• Click Export TXT button
• Save the file as ReportRogue.txt
• Click the Remove button to delete the items in RED
• Click Finish and close the program.
• Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.

=======

Has the problem been solved?

Unfortunately, no.

The internet problem is solved, it's fast again. The computer is not slowed. But wonderlandads is still there in my browsers (Opera) including that i rarely use (Chrome), except IE. No wonderlandads in IE.

Please run the Farbar Recovery Scan Tool. Enter wonderlandads.* in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets see what we can find in the Registry.

Please run the Farbar Recovery Scan Tool. Enter wonderlandads in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

Edited by nasdaq, 12 December 2016 - 01:47 PM.

Run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:

createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b

Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

Oh and i frequently bump into this:
 

This site can’t be reached

www.facebook.com’s server DNS address could not be found.

OMG wonderlandads gone. Thank youu thank youu

 

But, i'm still bumping into DNS error for (mostly) Facebook and Youtube. Is it provider related? If so, the coincidence is very high, the problem started when i got wonderlandads and i read somewhere that malware can hijack my connection with some proxy.

 

Edit: oh and i can browse Facebook and Youtube from my cellphone. Are the mobile and web version using the same DNS?

Edit again: tried flushDNS, didn't work.

Edited by Valmighty, 13 December 2016 - 01:34 PM.

Try this.

Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

reboot:

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===