Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by d2buh1bf1g584w.cloudfront.net


  • This topic is locked This topic is locked
30 replies to this topic

#1 bobsanchez123

bobsanchez123

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 May 2017 - 03:58 PM

Hi, im getting the warning error message also, I recently had a problem with malware , wondershare filmora , ourluckysites, tencent(pcmgr) and evergreen , bit.dll, I have removed every file with any of these names from my computer files and the registry but I am now getting this messageAttached File  warning error message.png   16.1KB   0 downloads  from malwarebytes that a malicious website is being blocked. The computer kept getting reinfected every few days , sometimes with malwarebytes finding 1000 files from adware elex folder recitation. My Mozilla firefox logo would change to the icon big farm and big farm would be on the start menu, I also would get links to advertisements from amazon and stuff like that on the desktop. I think I have gotten rid of that since deleting wondershare but my computer has only seemed clean for a day or two. I uninstalled firefox and am now using internet explorer 11. The computer seems to run quite well for a few days then bam, big farm Is installed again and bit.dll is running in the background. I also deteted a file called bs1gsli updater or something like that.

 

 

 

I have been running

malwarebytes

roguekiller

rkill

adwcleaner

junk removal tool

hitman pro

farbar recovery scanner tool

emsisoft emergency

unhack me

 

 

 

I'm hoping most of the problem is gone from removing wondershare compact helper

Thank you for your help

 

 

attached are frst logs and addition

 

Attached Files



BC AdBot (Login to Remove)

 


#2 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 25 May 2017 - 08:58 AM

Hi, is there any further information I need to give to get assistance ? I saw another user posted almost the exact same question but I assumed I couldn't use the same solution because our systems are different. Does every question on this site get resolved ? I have a few more days of the free trial of malwarebytes premium but I would like to get this resolved before the trial ends. Should I upload roguekiller logs or anything like that ? I'm still getting the message that malwarebytes are blocking a malicious website sometimes when I'm not doing anything on the internet.



#3 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 26 May 2017 - 08:35 AM

attaching adwcleaner files

 

Attached Files



#4 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 26 May 2017 - 10:08 AM

Hi, this is my frst logs and addition from today 26th may, still getting the same message from d2buh1bf1g584w.cloudfront.net

 

Hope to hear from you soon

Attached Files



#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 26 May 2017 - 04:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/647285 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 26 May 2017 - 04:28 PM

Hi, I am still having the same problem, I am getting the message that a website is being accessed as in the first post, the same message keeps coming up. I don't have the same problems with malware that I was having in the first post,  but I am getting the message from malwarebytes. I do not have the original windows dvd that came with the computer. Thanks for your help.

Attached Files



#7 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 27 May 2017 - 01:35 PM

Is there anything else I need to do to get a response ? Would like to get this solved before my malwarebytes trial is up



#8 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 28 May 2017 - 09:14 AM

attaching todays frst 28/05/2017,

 

 

Would love if someone could tell me what program is trying

to connect me to that website d2buh1bf1g584w.cloudfront.net ?

Attached Files



#9 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 29 May 2017 - 10:04 AM

attaching frst files from 29/05/2017. Not sure what I have to do to get a response , I originally asked for help over a week ago and I've seen at least two other people post the same question and get help within one or two days. is the website malware ? do I still have malware on my computer ? the same image from malwarebytes that I posted from the first post is still coming up on my computer once every hour or two.

Attached Files



#10 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:12 PM

Posted 30 May 2017 - 06:36 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in this topic.
  • Note:
If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
 

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 31 May 2017 - 09:44 AM

Hi thanks for your response, I have attached all the files you asked for.

Attached Files



#12 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:12 PM

Posted 31 May 2017 - 10:07 AM

infected by d2buh1bf1g584w.cloudfront.net

Do you get popups or whatelse?

---



Copy FRST / FSRT64.exe to your desktop!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 
Start
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} -  No File
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File]
U3 aswbdisk; no ImagePath
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\EX64.SYS [X]
2015-01-05 19:51 - 2015-01-05 19:51 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2015-01-05 19:48 - 2015-01-05 19:48 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2015-01-05 19:49 - 2015-01-05 19:49 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2015-01-05 19:49 - 2015-01-05 19:50 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2015-01-05 19:48 - 2015-01-05 19:48 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
CustomCLSID: HKU\S-1-5-21-2558980819-2723414284-2601808476-1001_Classes\CLSID\{24734139-2E14-88F8-FDDF-194FDB2B19C4}\InprocServer32 -> no filepath
Task: {02CAA73C-3435-44D7-BB1A-50077A8A5F61} - \Hewlett-Packard\HP Support Assistant\Product Configurator -> No File <==== ATTENTION
Task: {2F048964-8A90-4623-9897-0277724FB02D} - \Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan -> No File <==== ATTENTION
Task: {47FD183D-8000-416E-B84C-9A663FD55528} - \B1zGsIiSbOqp -> No File <==== ATTENTION
Task: {4C62CB91-0AE8-4815-B09F-2E4FDEDC5861} - \Hewlett-Packard\HP Support Assistant\PC Health Analysis -> No File <==== ATTENTION
Task: {718C1617-C3D0-4F1A-8052-1F052249075B} - \Nverther -> No File <==== ATTENTION
Task: {C21F33FF-E411-4708-8891-B6F53EDD6520} - \Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) -> No File <==== ATTENTION
Task: {DFE5B7F1-B7CB-4E1C-872F-E77D9EA0CCDD} - \Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start -> No File <==== ATTENTION
Task: {EFA1069B-9C72-402F-8430-5B4F60E14798} - \Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report -> No File <==== ATTENTION
AlternateDataStreams: C:\Windows:nlsPreferences [0]
HKU\S-1-5-21-2558980819-2723414284-2601808476-1001\Software\Classes\regfile: regedit.exe "%1" <===== ATTENTION
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 31 May 2017 - 12:22 PM

Thanks for your response.

 

I haven't got popups or many problems for eleven days since I've been using malwarebytes premium, just the popup from malwarebytes saying the website is being blocked. Before I had malwarebytes premium, I was getting problems with popups but I have since deleted files related to wondershare filmora which I think may have been causing the pop-ups.

 

I saw other people on this website talking about malwarebytes picking up the d2buh1b1fg584w.cloudfront.net from windowssytem32.msiexec.exe and I thought that might mean when my malwarebytes premium trial ends the problem might come back with my internet explorer getting ads from mothercare and redirection to big farm etc because something in my system keeps trying to connect to that website every hour or two I get the message from malwarebytes that a malicious website is being blocked. Adwcleaner always finds 6 problems , the keys then are deleted and cleaned and the same thing happens the next time I run adwcleaner, the 6 problems are always the same. I have used the fix tool in frst and attached the fixlog as requested.

 

Thank you for your help.

 

What does it mean that the malicious website is being blocked by malwarebytes ?

Attached Files


Edited by bobsanchez123, 31 May 2017 - 12:22 PM.


#14 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:12 PM

Posted 31 May 2017 - 12:48 PM

Seems to be a browser addon that hijacks your browsers

---

Please download Zemana AntiMalware and save it to your Desktop.
- Start it...
- Without changing any options, press Scan to begin.
After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

- Open Zemana AntiMalware again.
- Click on icon and double click the latest report.
- Now click File > Save As and choose your Desktop before pressing Save.
The only left thing is to attach saved report in your next message.

---


Run Zoek

Please temporarily disable your AV program.

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications [url=[object Object]]here.
  • on Windows Vista, 7, 8 and 10, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyclsid;
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.
Can you tell me how your computer is running now and if there are any remaining problems.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 31 May 2017 - 01:38 PM

The computer seems to be running pretty well, no noticeable problems or popups at the moment, just that website notification.

 

Thanks for your help

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users