Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by d2buh1bf1g584w.cloudfront.net


  • This topic is locked This topic is locked
30 replies to this topic

#16 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 31 May 2017 - 02:05 PM

Hello , sorry I did not run the zoek properly the first time, I ran a deep scan instead of following the instructions, here are the results after following the instructions.

Attached Files



BC AdBot (Login to Remove)

 


#17 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:24 PM

Posted 31 May 2017 - 02:25 PM

The computer seems to be running pretty well, no noticeable problems or popups at the moment, just that website notification.
 
Thanks for your help

Do you get this issue with every browser or only with a special one?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#18 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 31 May 2017 - 02:53 PM

I was getting problems with firefox, every few days the icon would change to a big farm icon on the windows toolbar and on the desktop, that was before I had deleted all files related to wondershare filmora. Since then, I have just used windows explorer 11 and that problem has not occurred again. When Big Farm showed up, there was also a program B1zGsIiSbOqp , and bit.dll was running and the key for that was deleted by adwcleaner. I have stuck with internet explorer since then to try to stop the problem from happening again.



#19 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:24 PM

Posted 31 May 2017 - 03:28 PM

Scan with SystemLook
  • Please download SystemLook (32-bit) by jpshortstuff and save it to your desktop
  • Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop For 64-bit users
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following code box into the main textfield:
:regfind
cloudfront.net
msiexec.exe

:filefind
msiexec.exe
cloudfront.net
  • Click the Look button to start the scan (may take 5 ... 15 min.)
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • Please copy and paste the log to your reply.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#20 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 31 May 2017 - 03:55 PM

System Look file attached

Attached Files



#21 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:24 PM

Posted 01 June 2017 - 02:03 AM


Download and run Shortcut Cleaner

---

Do you still get d2buh1bf1g584w.cloudfront.net warnings?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#22 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 01 June 2017 - 11:21 AM

I ran shortcut cleaner which  found no problems. I haven't gotten the message from malwarebytes that a malicious website is being blocked since 3.59 pm yesterday, I believe the B1zGsIiSbOqp key was deleted yesterday which may have stopped the problem, not sure yet, still waiting for the warning message today. The website was blocked 8 times in one day on 22/05/2017 so its being blocked a lot less now so hopefully the problem is fixed.

 

Shortcut Cleaner Log:

 

 

Shortcut Cleaner 1.4.9.6 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 http://www.bleepingcomputer.com/download/shortcut-cleaner/

Windows Version: Windows 8.1
Program started at: 06/01/2017 05:17:05 PM.

Scanning for registry hijacks:

 * No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\anthony\AppData\Roaming\Microsoft\Windows\Start Menu\

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

Searching C:\Users\anthony\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

Searching C:\Users\Public\Desktop\

Searching C:\Users\anthony\Desktop\

Searching C:\Users\Public\Desktop\

0 bad shortcuts found.

Program finished at: 06/01/2017 05:17:06 PM
Execution time: 0 hours(s), 0 minute(s), and 1 seconds(s)



#23 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:24 PM

Posted 01 June 2017 - 11:48 AM

OK, fine.

Let's wait another 24 hours to be sure.

---

Meanwhile go on here:

FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the boxes next to Addition.txt and Shortcut.txt. Then press the Scan button.
  • When finished, it will produce logs called FRST.txt, Shortcut.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.
---

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.
 

***


Can you tell me how your computer is running now and if there are any remaining malware related problems.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#24 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 01 June 2017 - 03:28 PM

frst 64 attached

 

eset attached

 

eset picked up a lot of stuff but I don't think any of those were causing a problem or related to it, they just had names like keygen which it picked up on.

 

 

There is no noticeable problems with malware at the moment, the message of the website being blocked hasn't appeared today, although my malwarebytes premium trial is over at the end of the day so I won't know if it working tomorrow unless I reinstall it and the trial starts again.

Attached Files



#25 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:24 PM

Posted 01 June 2017 - 04:30 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 
Start
CreateRestorePoint:
CloseProcesses:
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} -  No File
Folder: C:\Windows\SysWOW64\33
Folder: C:\Windows\SysWOW64\1111111
Folder: C:\Windows\SysWOW64\1
Folder: C:\Windows\SysWOW64\11
AlternateDataStreams: C:\Windows:nlsPreferences [0]
File: C:\Program Files (x86)\vsq3.xsd
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#26 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 01 June 2017 - 06:22 PM

HI thanks for your help, here is the fixlog

Attached Files



#27 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:24 PM

Posted 02 June 2017 - 03:05 AM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 
Start
CreateRestorePoint:
C:\Windows\SysWOW64\33
C:\Windows\SysWOW64\1111111
C:\Windows\SysWOW64\1
C:\Windows\SysWOW64\11
End
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.



How the computer is running now?

---

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#28 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 June 2017 - 09:13 AM

Hi, thanks for your continued help. I have posted the results below. The computer seems to be running well, I ran malwarebytes and roguekiller today and they can't find any problems. Unfortunately, my malwarebytes premium expired at 12.00 yesterday, the website wasn't blocked once all day yesterday and the last time it was blocked was 3.59 pm on 31/05/2017, it usually was getting blocked at least four times per day, some days eight times a day. Can I block the website by adding it to my host file in windows/system32/hosts   ?

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-06-2017
Ran by anthony (02-06-2017 15:00:17) Run:3
Running from C:\Users\anthony\Downloads
Loaded Profiles: anthony (Available Profiles: anthony)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
C:\Windows\SysWOW64\33
C:\Windows\SysWOW64\1111111
C:\Windows\SysWOW64\1
C:\Windows\SysWOW64\11
End
*****************

Restore point was successfully created.
C:\Windows\SysWOW64\33 => moved successfully
C:\Windows\SysWOW64\1111111 => moved successfully
C:\Windows\SysWOW64\1 => moved successfully
C:\Windows\SysWOW64\11 => moved successfully

==== End of Fixlog 15:00:29 ====



#29 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:24 PM

Posted 02 June 2017 - 09:50 AM

Can I block the website by adding it to my host file in windows/system32/hosts   ?


You can try that.
 

***


It Appears That Your Pc Is Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

===================================

Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Make sure you keep your Windows OS current.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step2: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step3: Use only one anti-virus software and keep it up-to-date.

:step4: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step5: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step6: Use Strong passwords!

:step7: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#30 bobsanchez123

bobsanchez123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 June 2017 - 08:16 PM

Ok, thanks for all your help






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users