Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

nasty infection. Win10


  • Please log in to reply
7 replies to this topic

#1 Radziq91

Radziq91

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 01 April 2017 - 06:26 AM

Hi!

First of all im sorry for my english. Sometimes it may be difficult to understand me. 

Ok it has all started some time ago.My old win7 installation was corrupted (corrupted HD sectors). With some help of my friend we were able to fix my HD, we installed fresh windows 10 on it. It has automatically installed all the drivers it needed. I installed nvidia driver along with realtek driver and some driver updates. I have installed AVG free antivirus. Than after few days my laptop started to have strange HD usage. It is like 100% for first 5 minutes after the startup. I have read, that i have to disable various services like windows defender, windows update etc etc. I have made few things disabled, that could have caused my infection. Keep it in mind.

Ok than one week ago I have installed few games and it has all started. My chrome browser started to open new tabs, redirect me to strange websites and while playing games i needed to lower graphic settings (even if they were ok before). I googled it and i found out that my laptop is infected. What have i done later:

-installed ADW Cleaner and done checkup, which deleted something but the problem still existed

-installed Malwarebytes software, updated it, done the checkup and the same story as above

-downloaded FRST software because i have read on some website that it may help. I did not know how it really works, and I did not ask nobody to check my logs, instad of that i have created fixlist.txt with script provided for somebody else. I was not aware that it does not work that way. Anyway I did it... and after half an hour of fixing I did not know what to do, because there was no progress bar, so I have decided to abort it. I dont know if there are any consequences of this action - but i find it important to tell.

-I scanned my laptop with FRST and posted logs on one forum, but some experts told me that there is nothing in it.

-Today i have downloaded and scanned laptop (without any results) with:Hitman Pro, Rkill, JRT and EmisoftEmergencyToolkit

That is all I have done so far. I also checked my CTRL+ALT+DEL processes and did not find anything suspicious. I have checked my chrome extensions - only adblock there

 

Weirdest thing of all is the fact, that Malwarebytes (up to date but trial) is blocking from time to time some websites. Windows pops up saying that website was blocked, giving IP adress, and location: chrome.exe

I have checked history of Malwarebytes and websites blocked are:

liveadexchanger.com:60821

liveadexchanger.com:60661

liveadexchanger.com:51432

liveadexchanger.com:51433

apple-kungfu.com:60544

apple-kungfu.com:60242

apple-kungfu.com:60243

apple-kungfu.com:52472

apple-kungfu.com:52473

weevah2.top:49868

weevah2.top:50106

intl.habx.gdn:49920

intl.habx.gdn:49918

intl.habx.gdn:49919

go.ad2upapp.com:53052

go.ad2upapp.com:53053

qerinofe.xyz:52167

 

Theese are not all of history entries. There is more of them which differs only with numbers after ":". If u gonna need all of them - i will put them in. What more i put them in order which looks nice, but they happen simultaneously

First history log in Malwarebytes is from 29.03.2017.

 

I think this is all I can say for now. PLease help me get rid of this :( I really dont want to format again. I prefere to fix my current setup. P.s I have some other issues with laptop, should i create other post? Or Can I ask You to help me fix them, after we get rid of viruses?

 

Thank You very much for all the help You gonna give me. I respect You a lot for what You do. That You provide free help for people like me :(

 

edit: i'll try to post all the websites i am redirected to (thee which are not blocked by MWB)

www.safetyweb.space


Edited by Radziq91, 01 April 2017 - 06:54 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:42 AM

Posted 01 April 2017 - 08:52 AM

Welcome to BC....

 

Use the programs below to clean, remove malware and remove adware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

After doing the above reset your Chrome browser.

 

You can restore your browser settings in Chrome at any time. You might need to do this if apps or extensions you installed changed your settings without your knowledge. Your saved bookmarks and passwords won't be cleared or changed.

  1. On your computer, open Chrome.
  2. At the top right, click More > Settings.
  3. At the bottom, click Show advanced settings.
  4. Under the section "Reset settings,” click Reset settings.
  5. In the box that appears, click Reset. ​

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Radziq91

Radziq91
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 01 April 2017 - 11:46 AM

Version: 8.1.2 (03.10.2017)
Operating System: Windows 10 Home x64 
Ran by xXx (Administrator) on 01.04.2017 at 17:07:37,66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 01.04.2017 at 17:10:35,66
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ESET scanning took 1:23:18 but did not find anything as well.
After i posted my first entry here, i uninstalled one game, which I have found infected in Malwarebytes as infected. It seems it helped a bit. I dont see any popups, and i had only one redirect. I need more time to see if problem has gone or not. Anyways if You have anymore tips for me to do, ill be glad to try them.


#4 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:42 AM

Posted 01 April 2017 - 11:54 AM

If you are still getting redirected in Chrome then you should do a clean uninstall which means deleting your Chrome profile, too.

You can save your bookmarks before doing that as they will be removed when deleting the profile.

Import or export bookmarks - Chrome Help

 

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Radziq91

Radziq91
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 01 April 2017 - 12:24 PM

If it may help, I can do the clean uninstall. I have no bookmarks or anything. Just tell me how to do it :)

And here is the log.

 

SecurityCheck by glax24 & Severnyj v.1.4.0.47 [25.03.17]
WebSite: www.safezone.cc
DateLog: 01.04.2017 19:21:48
Path starting: C:\Users\xXx\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: xXx
VersionXML: 4.05is-25.03.2017
___________________________________________________________________________
 
Windows 10(6.3.14393) (x64) Core Lang: Polish(0415)
Installation date OS: 06.03.2017 12:20:05
Boot Mode: Normal
Default Browser: Microsoft Edge (C:\Windows\system32\LaunchWinApp.exe)
SystemDrive: C: FS: [NTFS] Capacity: [200 Gb] Used: [41.1 Gb] Free: [158.9 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.953.14393.0
User Account Control enabled
 
Windows Update (wuauserv) - The service has stopped
Centrum zabezpieczeń (wscsvc) - The service is running
Rejestr zdalny (RemoteRegistry) - The service has stopped
Odnajdywanie SSDP (SSDPSRV) - The service is running
Usługi pulpitu zdalnego (TermService) - The service has stopped
Zdalne zarządzanie systemem Windows (WS-Management) (WinRM) - The service has stopped
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2013 x64 v.15.0.4569.1506
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
Malwarebytes (disabled and up to date)
AVG Antivirus (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Zapora systemu Windows (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Malwarebytes (disabled and up to date)
Windows Defender (disabled and up to date)
AVG Antivirus (enabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
ESET Online Scanner v3
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes (wersja 3.0.6.1469) v.3.0.6.1469
--------------------------- [ OtherUtilities ] ----------------------------
WinRAR 5.40 (64-bit) v.5.40.0
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.33 v.7.33.105 Warning! Download Update
^Optional update.^
--------------------------------- [ P2P ] ---------------------------------
µTorrent v.3.4.9.43388 Warning! P2P-client.
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Acrobat Reader DC - Polish v.15.020.20039 Warning! Download Update
^Please run Acrobat Reader DC and go Help - Check for updates...^
------------------------------- [ Browser ] -------------------------------
Google Chrome v.56.0.2924.87 Warning! Download Update
--------------------------- [ RunningProcess ] ----------------------------
chrome.exe
------------------ [ AntivirusFirewallProcessServices ] -------------------
AVG Antivirus (AVG Antivirus) - The service is running
C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe v.17.3.3443.0
AVG Service (avgsvc) - The service is running
C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe v.1.182.2.64574
AVG Service (avgsvc) - The service is running
C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe v.17.3.3443.0
C:\Program Files (x86)\AVG\Framework\Common\avguix.exe v.1.182.2.64574
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe v.3.0.0.912
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.1.0.415
Usługa Windows Defender (WinDefend) - The service has stopped
Usługa inspekcji sieci Windows Defender (WdNisSvc) - The service has stopped
----------------------------- [ End of Log ] ------------------------------
 
 
 
P.s I wonder why the log says that MWB is disabled? I have all options enabled. 4 options enabled in the task bar
P.s2 And why SecurityCheck does not scan partition E:? (I have C: & E:)

Edited by Radziq91, 01 April 2017 - 12:51 PM.


#6 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:42 AM

Posted 01 April 2017 - 02:07 PM

Security Check ran properly. Sometimes MBAM acts a bit weird since 3.0 was released. Stop and start for no apparent reason is one bug. If it is the FREE version then it

will not be active. If the TRIAL version....it is active for only 30 days.

 

You should NOT use uTorrent to download free stuff. More than half of those downloads will contain malware and adware....some of the worse.

That is why Security Check highlighted it.

 

If you are still getting misdirected in Chrome then uninstall Chrome. While doing that you will be asked if you want to uninstall your profile...do that.

  1. On your computer, close all Chrome windows and tabs.
  2. Click the Start menu > Settings.
  3. Click System.
  4. On the left, click Apps & features.
  5. Find and click Google Chrome.
  6. Click Uninstall.
  7. Confirm by clicking Uninstall.
  8. To delete your profile information, like bookmarks and history, check "Also delete your browsing data."
  9. Click Uninstall.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Radziq91

Radziq91
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 01 April 2017 - 03:40 PM

I've done as You said. I will see in few days if everything is ok. Utorrent, yeah i know. I have been using it quite long time on my pc and i had no trouble at all. More dangerous seems seeking cracks, patches, mods, translations (especially if what You seek has low availability).But ill keep it in mind. Thank You a lot! Umm can I ask for help with two other issues I'm having? I would be happy to donate someting as well :)



#8 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:42 AM

Posted 01 April 2017 - 04:25 PM

Sure...just look through the list of different Forums and choose the most suitable. You're welcome...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users