Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

keep seeing pop-ups and links are redirected ! Infected with Wonderlanads


  • This topic is locked This topic is locked
19 replies to this topic

#1 azim888

azim888

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 07 May 2017 - 02:51 PM

Hi all

I'm having problems with wonderlandads.com popping up through google chrome and I can't stop it.

In order to fix my problem, I've reinstalled my windows (Windows 8.1). Via internet explorer i started to test if my pc was clean or not , after opening the livescience.com website again i redirected to wonderlandsads.com . I dont know how it is possible. maybe its from my dns server.

So I installed google chrome and it was effected too.

I've run Malewarbytes and rkill.exe but they did not find anything. 

I reinstalled my windows again but this time before screen coming up I Hold reset button on router for 10 sec and reset it. everything was fine until I checked my mobile and it  was infected and It also infect my pc maybe via router.

all of my devices such as Ipad , Nexus Mobile with Android OS and my other laptops get infected too.

I reset My mobile settings to mobile factory settings. after connecting to my router and trying msn.com for example , it redirects me again to wonderlandads .

 

Anyone have any advice on what to do please?

Thanks for any/all help

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-05-2017
Ran by Jbbb (administrator) on M (07-05-2017 12:20:33)
Running from C:\Users\Jbbb\Downloads
Loaded Profiles: Jbbb (Available Profiles: Jbbb)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{75074534-7BD4-4D5A-B80F-C1E115506659}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-241458704-1543903260-3076769687-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp

FireFox:
========
FF DefaultProfile: 4kjnasqb.default
FF ProfilePath: C:\Users\Jbbb\AppData\Roaming\Mozilla\Firefox\Profiles\4kjnasqb.default [2017-05-07]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-07 12:20 - 2017-05-07 12:20 - 00003103 _____ C:\Users\Jbbb\Downloads\FRST.txt
2017-05-07 12:20 - 2017-05-07 12:20 - 00000000 ____D C:\FRST
2017-05-07 12:17 - 2017-05-07 12:19 - 02429440 _____ (Farbar) C:\Users\Jbbb\Downloads\FRST64.exe
2017-05-07 09:15 - 2017-05-07 09:20 - 00000000 ____D C:\Users\Jbbb\AppData\Local\Mozilla
2017-05-07 09:15 - 2017-05-07 09:15 - 00001171 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-05-07 09:15 - 2017-05-07 09:15 - 00001159 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-05-07 09:15 - 2017-05-07 09:15 - 00000000 ____D C:\Users\Jbbb\AppData\Roaming\Mozilla
2017-05-07 09:15 - 2017-05-07 09:15 - 00000000 ____D C:\Users\Jbbb\AppData\LocalLow\Mozilla
2017-05-07 09:15 - 2017-05-07 09:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-05-07 09:15 - 2017-05-07 09:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-05-07 09:05 - 2017-05-07 09:05 - 00246032 _____ (Mozilla) C:\Users\Jbbb\Downloads\Firefox Setup Stub 53.0.2.exe
2017-05-07 08:45 - 2017-05-07 07:50 - 00000000 ____D C:\Windows\Panther
2017-05-07 08:41 - 2017-05-07 09:46 - 00000000 ____D C:\Program Files (x86)\Google
2017-05-07 08:41 - 2017-05-07 08:41 - 00000000 ____D C:\Users\Jbbb\AppData\Local\Google
2017-05-07 08:32 - 2017-05-07 08:56 - 00000000 ____D C:\Users\Jbbb\AppData\Local\Deployment
2017-05-07 08:32 - 2017-05-07 08:32 - 00000000 ____D C:\Users\Jbbb\AppData\Local\Apps\2.0
2017-05-07 07:55 - 2017-05-07 10:37 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-241458704-1543903260-3076769687-1001
2017-05-07 07:52 - 2017-05-07 07:52 - 00000000 ____D C:\Users\Jbbb\AppData\Roaming\Macromedia
2017-05-07 07:51 - 2017-05-07 07:51 - 00003894 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{13EF3DD0-6C81-47FC-857C-19F329BA27A4}
2017-05-07 07:51 - 2017-05-07 07:51 - 00000000 __SHD C:\Users\Jbbb\AppData\LocalLow\EmieUserList
2017-05-07 07:51 - 2017-05-07 07:51 - 00000000 __SHD C:\Users\Jbbb\AppData\LocalLow\EmieSiteList
2017-05-07 07:51 - 2017-05-07 07:51 - 00000000 __SHD C:\Users\Jbbb\AppData\Local\EmieUserList
2017-05-07 07:51 - 2017-05-07 07:51 - 00000000 __SHD C:\Users\Jbbb\AppData\Local\EmieSiteList
2017-05-07 07:50 - 2017-05-07 07:50 - 00001442 _____ C:\Users\Jbbb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-05-07 07:50 - 2017-05-07 07:50 - 00000000 ____D C:\Users\Jbbb\AppData\Roaming\Adobe
2017-05-07 07:50 - 2017-05-07 07:50 - 00000000 ____D C:\Users\Jbbb\AppData\Local\VirtualStore
2017-05-07 07:49 - 2017-05-07 07:50 - 00000000 ____D C:\Users\Jbbb\AppData\Local\Packages
2017-05-07 07:49 - 2017-05-07 07:50 - 00000000 ____D C:\Users\Jbbb
2017-05-07 07:49 - 2017-05-07 07:49 - 00000020 ___SH C:\Users\Jbbb\ntuser.ini
2017-05-07 07:49 - 2017-05-07 07:49 - 00000000 _SHDL C:\Users\Jbbb\My Documents
2017-05-07 07:49 - 2017-05-07 07:49 - 00000000 _SHDL C:\Users\Jbbb\Documents\My Videos
2017-05-07 07:49 - 2017-05-07 07:49 - 00000000 _SHDL C:\Users\Jbbb\Documents\My Pictures
2017-05-07 07:49 - 2017-05-07 07:49 - 00000000 _SHDL C:\Users\Jbbb\Documents\My Music
2017-05-07 07:49 - 2014-03-18 03:13 - 00000369 _____ C:\Users\Jbbb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2017-05-07 07:49 - 2014-03-18 03:13 - 00000369 _____ C:\Users\Jbbb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-07 11:32 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\NDF
2017-05-07 08:52 - 2013-08-22 08:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-05-07 08:44 - 2013-08-22 08:36 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2017-05-07 07:55 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\AppReadiness
2017-05-07 07:53 - 2014-03-18 03:03 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2017-05-07 07:53 - 2013-08-22 06:36 - 00000000 ____D C:\Windows\Inf
2017-05-07 07:49 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\rescache
2017-05-07 07:48 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-05-07 07:47 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\BBI

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-05-07 07:45

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-05-2017
Ran by Jbbb (07-05-2017 12:20:54)
Running from C:\Users\Jbbb\Downloads
Windows 8.1 (X64) (2017-05-07 14:49:37)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-241458704-1543903260-3076769687-500 - Administrator - Disabled)
Guest (S-1-5-21-241458704-1543903260-3076769687-501 - Limited - Disabled)
Jbbb (S-1-5-21-241458704-1543903260-3076769687-1001 - Administrator - Enabled) => C:\Users\Jbbb

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Mozilla Firefox 53.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 53.0.2 (x86 en-US)) (Version: 53.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 53.0.2 - Mozilla)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-241458704-1543903260-3076769687-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{0E88A916-CBF1-4E00-BC3E-F204AC45F68A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E5EFE6A8-A4ED-4A57-B1B0-C8D3DF67EC9D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============

Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: 3D Video Controller
Description: 3D Video Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004C003
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=9a8645c4-8908-49bb-8eec-6671a533b17a;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0xC004C003
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0xC004C003

Error: (05/07/2017 07:51:40 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0xC004C003
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:40 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0xC004C003

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=9a8645c4-8908-49bb-8eec-6671a533b17a;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

System errors:
=============
Error: (05/07/2017 11:00:22 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/07/2017 09:18:07 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:18:04 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:47 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:15:56 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

==================== Memory info ===========================

Processor: Intel® Core™ i7-4700HQ CPU @ 2.40GHz
Percentage of memory in use: 23%
Total physical RAM: 8075.06 MB
Available physical RAM: 6216.86 MB
Total Virtual: 9995.06 MB
Available Virtual: 8186.47 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.17 GB) (Free:914.28 GB) NTFS
Drive d: (DVD 1) (CDROM) (Total:7.9 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: AA441488)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 07 May 2017 - 06:25 PM

in order to find the cause of this adware, i reset my mobile to factory data and than used another router ( D-Link) an uninfected one, same happened again .



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 09 May 2017 - 08:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn your System Restore ON - Windows Help
https://support.microsoft.com/en-us/help/17228/windows-protect-my-pc-from-viruses
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

p.s.
Please post the Addition.txt log that was created by the Farbar tool.

#4 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 09 May 2017 - 09:05 AM

thanks for your reply

I turned my system restore on

I still keep seenig pop-ups

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 08-05-2017
Ran by Jbbb (09-05-2017 06:55:31) Run:1
Running from C:\Users\Jbbb\Downloads
Loaded Profiles: Jbbb (Available Profiles: Jbbb)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
*****************

Restore point was successfully created.
Processes closed successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= IPCONFIG /release =========


Windows IP Configuration

No operation can be performed on Local Area Connection* 3 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::a457:723e:34a9:b70a%4
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


========= IPCONFIG /renew =========


Windows IP Configuration

No operation can be performed on Local Area Connection* 3 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::a457:723e:34a9:b70a%4
   IPv4 Address. . . . . . . . . . . : 192.168.1.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{75074534-7BD4-4D5A-B80F-C1E115506659}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:18cc:8f9:3f57:fe9b
   Link-local IPv6 Address . . . . . : fe80::18cc:8f9:3f57:fe9b%21
   Default Gateway . . . . . . . . . : ::

========= End of CMD: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset c:\resetlog.txt =========

Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Resetting , failed.
Access is denied.

There's no user specified settings to be reset.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4815151 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 1918744 B
Edge => 0 B
Chrome => 0 B
Firefox => 198990334 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 13840 B
Jbbb => 63520830 B

RecycleBin => 0 B
EmptyTemp: => 264.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 06:55:59 ====

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-05-2017
Ran by Jbbb (07-05-2017 12:20:54)
Running from C:\Users\Jbbb\Downloads
Windows 8.1 (X64) (2017-05-07 14:49:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-241458704-1543903260-3076769687-500 - Administrator - Disabled)
Guest (S-1-5-21-241458704-1543903260-3076769687-501 - Limited - Disabled)
Jbbb (S-1-5-21-241458704-1543903260-3076769687-1001 - Administrator - Enabled) => C:\Users\Jbbb

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Mozilla Firefox 53.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 53.0.2 (x86 en-US)) (Version: 53.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 53.0.2 - Mozilla)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-241458704-1543903260-3076769687-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{0E88A916-CBF1-4E00-BC3E-F204AC45F68A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E5EFE6A8-A4ED-4A57-B1B0-C8D3DF67EC9D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============

Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: 3D Video Controller
Description: 3D Video Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004C003
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=9a8645c4-8908-49bb-8eec-6671a533b17a;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0xC004C003
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0xC004C003

Error: (05/07/2017 07:51:40 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0xC004C003
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:40 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0xC004C003

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=9a8645c4-8908-49bb-8eec-6671a533b17a;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7


System errors:
=============
Error: (05/07/2017 11:00:22 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/07/2017 09:18:07 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:18:04 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:47 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:15:56 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.


==================== Memory info ===========================

Processor: Intel® Core™ i7-4700HQ CPU @ 2.40GHz
Percentage of memory in use: 23%
Total physical RAM: 8075.06 MB
Available physical RAM: 6216.86 MB
Total Virtual: 9995.06 MB
Available Virtual: 8186.47 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.17 GB) (Free:914.28 GB) NTFS
Drive d: (DVD 1) (CDROM) (Total:7.9 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: AA441488)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 09 May 2017 - 12:50 PM


From my previous post.
p.s.
Please post the Addition.txt log that was created by the Farbar tool.


There could be some startup item that causing this.

===

Run this scan .

Please download Zemana AntiMalware and save it to your Desktop.
- You need to unzip it and start..
- Without changing any options, press Scan to begin.
After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

- Open Zemana AntiMalware again.
- Click on icon and double click the latest report.
- Now click File > Save As and choose your Desktop before pressing Save.
The only left thing is to attach saved report in your next message.

#6 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 09 May 2017 - 01:01 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-05-2017
Ran by Jbbb (07-05-2017 12:20:54)
Running from C:\Users\Jbbb\Downloads
Windows 8.1 (X64) (2017-05-07 14:49:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-241458704-1543903260-3076769687-500 - Administrator - Disabled)
Guest (S-1-5-21-241458704-1543903260-3076769687-501 - Limited - Disabled)
Jbbb (S-1-5-21-241458704-1543903260-3076769687-1001 - Administrator - Enabled) => C:\Users\Jbbb

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Mozilla Firefox 53.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 53.0.2 (x86 en-US)) (Version: 53.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 53.0.2 - Mozilla)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-241458704-1543903260-3076769687-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{0E88A916-CBF1-4E00-BC3E-F204AC45F68A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E5EFE6A8-A4ED-4A57-B1B0-C8D3DF67EC9D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============

Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: 3D Video Controller
Description: 3D Video Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004C003
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=9a8645c4-8908-49bb-8eec-6671a533b17a;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0xC004C003
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:48 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0xC004C003

Error: (05/07/2017 07:51:40 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0xC004C003
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:40 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0xC004C003

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=9a8645c4-8908-49bb-8eec-6671a533b17a;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=9a8645c4-8908-49bb-8eec-6671a533b17a

Error: (05/07/2017 07:51:29 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7


System errors:
=============
Error: (05/07/2017 11:00:22 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

Error: (05/07/2017 09:18:07 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:18:04 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:47 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:46 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:17:32 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

Error: (05/07/2017 09:15:56 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.


==================== Memory info ===========================

Processor: Intel® Core™ i7-4700HQ CPU @ 2.40GHz
Percentage of memory in use: 23%
Total physical RAM: 8075.06 MB
Available physical RAM: 6216.86 MB
Total Virtual: 9995.06 MB
Available Virtual: 8186.47 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.17 GB) (Free:914.28 GB) NTFS
Drive d: (DVD 1) (CDROM) (Total:7.9 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: AA441488)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

Attached File  2017.05.09-10.57.11-i0-t92-d0.txt   809bytes   3 downloads


Edited by azim888, 09 May 2017 - 01:02 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 10 May 2017 - 07:26 AM

It's strange that your Addition.txt log only shows Firefox installed.
Did you edit the file?

===


Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

Let me know if the problem persists.

#8 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 10 May 2017 - 07:43 AM

No, I do not change the Addition.txt file. It's the original file. After installing the windows, I just installed firefox .

I did your instruction but The pop-ups still keep coming.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 10 May 2017 - 07:45 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

p.s.
https://android.stackexchange.com/questions/128957/removal-of-the-wonderlandads-com-pop-up-virus

Read the article.

You may have to remove chrome from your Mobile.

Then reset your router again.

Restart the computer and see if the problem persists.

Quoted from the last post on the article.
Try to remove Chrome from your Android device and use default browser. It was ok for me on Galaxy S6 Edge.

Edited by nasdaq, 10 May 2017 - 07:59 AM.


#10 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 10 May 2017 - 08:15 AM

RogueKiller V12.10.8.0 (x64) [May  8 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Jbbb [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/10/2017 05:59:19 (Duration : 00:11:11)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 46.249.120.90 217.218.155.155 ([Iran][Iran])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{75074534-7BD4-4D5A-B80F-C1E115506659} | DhcpNameServer : 46.249.120.90 217.218.155.155 ([Iran][Iran])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 7db8fe58cc8e6d27b2a4d2fb4459a6c1
[BSP] aa7b4b2e53d5c3db2f29d9089a58c79d : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 953517 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 



#11 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 10 May 2017 - 08:41 AM

According to https://support.google.com/chrome/answer/95319?co=GENIE.Platform%3DAndroid&hl=en , It's not possible to remove chrome from android, I can just disable it.

Is it enough ? Can I just disable it and reset my router to test your suggested instruction ?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 10 May 2017 - 12:31 PM


These IP address may be the culprit.
Check with your Internet Provider and if not required fix both of them with the RogueKiller tool.

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 46.249.120.90 217.218.155.155 ([Iran][Iran]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{75074534-7BD4-4D5A-B80F-C1E115506659} | DhcpNameServer : 217.218.155.155 ([Iran][Iran]) -> Found


Can I just disable it and reset my router to test your suggested instruction ?

Yes.

Find out if the problem persists with your computer.

p.s.
If you are syncing Chrome I would disable it also.

#13 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 10 May 2017 - 01:13 PM

I contact my ISP and both IP Addresses Are Valid and Legit .

I disabled chrome on my mobile .

I reset my router.

I reset my computer.

the Wonderlandads still keep seeing.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:52 PM

Posted 11 May 2017 - 06:44 AM


Remove Chrome from hour Computer and reinstall a fresh copy.

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you Sync your data.
Delete Your Google Chrome Browser Sync Data
http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/
<<<>>>

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Re-install Chrome and the Bookmarks.

p.s.
On your Android I would download and install again.
Instructions here:
https://support.google.com/chrome/answer/95346?co=GENIE.Platform%3DAndroid&hl=en

#15 azim888

azim888
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 May 2017 - 09:06 AM

Thanks for your reply but after installing new windows I don't install chrome on my pc.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users