Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I keep getting popups and from one webpage redirected.


  • This topic is locked This topic is locked
18 replies to this topic

#1 wytbro

wytbro

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 28 November 2017 - 01:22 AM

I've attached my FSRT logs.

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 28 November 2017 - 04:53 AM

Hello wytbro and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please complete these tasks in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Malwarebytes Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the “History” tab, the “Application Logs”
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

Logs to include with the next post:

AdwCleaner log
JRT.txt
Mbam.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 wytbro

wytbro
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 28 November 2017 - 12:20 PM

Logs are attached.

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 28 November 2017 - 05:09 PM

Those logs didn’t show the results I expected so let's have a different look.

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/7/8/10, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on ‘Report’ and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

 

NOTE: We have a time difference involved so please be patient if I don't reply as soon as you expect.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 wytbro

wytbro
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 28 November 2017 - 06:34 PM

RogueKiller V12.11.26.0 (x64) [Nov 27 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.17025) 64 bits version
Started in : Normal mode
User : white [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 11/28/2017 16:09:22 (Duration : 00:21:57)
Switches : -refid
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 31 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 0
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1dff18af-37d2-4f12-8c04-ae369f50c98b} | DhcpNameServer : 0.0.0.0 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3013d4ab-fe97-4275-8ba5-e7e0a49e8c77} | DhcpNameServer : 10.192.0.1 ([])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0579234C-6AEF-4AB9-B204-93E2D9C2FCB2} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS522A\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1FE65601-447B-4CA9-BADE-C270AF9513F7} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS522A\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {838B14BE-4A12-4459-8BA4-C25ACDC5B2C8} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS4DFD\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7AD8A015-1668-47DC-B96C-B7DBB80733CD} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS4DFD\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D4ECBC54-EE11-4694-9112-B32BE5E52001} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3E98\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {8F512FAD-A567-46E5-8C8E-B7A926D35710} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3E98\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D57F8BFF-01DE-43FF-A60D-41458BAFE4B4} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS2C29\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F7A8470B-B2B3-4CE5-A77B-133DF899F7F5} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS2C29\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {10E34CA9-01B5-49A6-B397-B47068391A00} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS14FE\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {EC524F3D-2435-44CA-B90D-EDA852544C0F} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS14FE\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{3EC3197F-A02A-40D9-B43A-8C48397AA229}C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{B035B68A-51A0-44D3-9282-B1914782ADCE}C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {86A46BE6-4C59-4DB1-BAA2-9B136D87F237} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5CDC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5CBA0879-B743-4C94-92FC-5CF09F0473A7} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5CDC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{A3DC28E7-4326-4F73-A817-2EDBE5B3C725}C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{104BF696-CB79-4174-AA0E-A5A8750C072B}C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2DE71201-086D-430E-93D9-969EC30DC83C} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3368\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CEDD4352-D490-40CB-924E-7B4A1CACF641} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3368\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D262FA84-86A8-454F-BCCA-326AE60CB12D} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5658\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2C287EF7-4FA9-464B-8378-3DF8F983C754} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5658\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 1 ¤¤¤
[PUP.uTorrentAds][File] C:\Users\white\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exe -> Found
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://websearch.goodforsearch.info/?pid=23391&r=2015/04/30&hid=10681948909746868269&lg=EN&cc=CA&unqvl=86] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://websearch.goodforsearch.info/?pid=23391&r=2015/04/30&hid=10681948909746868269&lg=EN&cc=CA&unqvl=86] -> Found
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk X400 M.2 2280 128GB +++++
--- User ---
[MBR] d6bbf31804145e1567c3136ac647fa30
[BSP] 8d3aa96ab6bafb89ab086b201a911c62 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 107937 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 222343168 | Size: 462 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 223289344 | Size: 11927 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 247717888 | Size: 1148 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: ST1000LM035-1RK172 +++++
--- User ---
[MBR] f7534e6c4f07706266d250adf0af35a7
[BSP] 07bb5fb1a70360bb6362fc4439c721bd : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2048 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK

Attached Files


Edited by wytbro, 28 November 2017 - 06:35 PM.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 28 November 2017 - 06:53 PM

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished press the Delete button and post the log it produces.

Please then run it again and send the new log

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 wytbro

wytbro
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 30 November 2017 - 06:15 PM

Before:

 

RogueKiller V12.11.26.0 (x64) [Nov 27 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.17025) 64 bits version
Started in : Normal mode
User : white [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 11/30/2017 15:29:46 (Duration : 00:20:31)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 31 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl :
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 0
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3721838450-3874016593-4234538750-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11282017101725830\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1dff18af-37d2-4f12-8c04-ae369f50c98b} | DhcpNameServer : 0.0.0.0 ([])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3013d4ab-fe97-4275-8ba5-e7e0a49e8c77} | DhcpNameServer : 10.192.0.1 ([])  -> Replaced ()
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0579234C-6AEF-4AB9-B204-93E2D9C2FCB2} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS522A\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1FE65601-447B-4CA9-BADE-C270AF9513F7} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS522A\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {838B14BE-4A12-4459-8BA4-C25ACDC5B2C8} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS4DFD\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7AD8A015-1668-47DC-B96C-B7DBB80733CD} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS4DFD\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D4ECBC54-EE11-4694-9112-B32BE5E52001} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3E98\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {8F512FAD-A567-46E5-8C8E-B7A926D35710} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3E98\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D57F8BFF-01DE-43FF-A60D-41458BAFE4B4} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS2C29\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F7A8470B-B2B3-4CE5-A77B-133DF899F7F5} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS2C29\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {10E34CA9-01B5-49A6-B397-B47068391A00} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS14FE\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {EC524F3D-2435-44CA-B90D-EDA852544C0F} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS14FE\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{3EC3197F-A02A-40D9-B43A-8C48397AA229}C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{B035B68A-51A0-44D3-9282-B1914782ADCE}C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\white\appdata\local\temp\7zs5cdc\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {86A46BE6-4C59-4DB1-BAA2-9B136D87F237} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5CDC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5CBA0879-B743-4C94-92FC-5CF09F0473A7} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5CDC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{A3DC28E7-4326-4F73-A817-2EDBE5B3C725}C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{104BF696-CB79-4174-AA0E-A5A8750C072B}C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\white\appdata\local\temp\7zs3368\hpdiagnosticcoreui.exe|Name=hpdiagnosticcoreui.exe|Desc=hpdiagnosticcoreui.exe|Defer=User| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2DE71201-086D-430E-93D9-969EC30DC83C} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3368\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CEDD4352-D490-40CB-924E-7B4A1CACF641} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS3368\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D262FA84-86A8-454F-BCCA-326AE60CB12D} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5658\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2C287EF7-4FA9-464B-8378-3DF8F983C754} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\white\AppData\Local\Temp\7zS5658\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://websearch.goodforsearch.info/?pid=23391&r=2015/04/30&hid=10681948909746868269&lg=EN&cc=CA&unqvl=86] -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://websearch.goodforsearch.info/?pid=23391&r=2015/04/30&hid=10681948909746868269&lg=EN&cc=CA&unqvl=86] -> Deleted
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk X400 M.2 2280 128GB +++++
--- User ---
[MBR] d6bbf31804145e1567c3136ac647fa30
[BSP] 8d3aa96ab6bafb89ab086b201a911c62 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 107937 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 222343168 | Size: 462 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 223289344 | Size: 11927 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 247717888 | Size: 1148 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: ST1000LM035-1RK172 +++++
--- User ---
[MBR] f7534e6c4f07706266d250adf0af35a7
[BSP] 07bb5fb1a70360bb6362fc4439c721bd : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2048 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK
 

After:

 

RogueKiller V12.11.26.0 (x64) [Nov 27 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.17025) 64 bits version
Started in : Normal mode
User : white [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 11/30/2017 15:53:06 (Duration : 00:20:35)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk X400 M.2 2280 128GB +++++
--- User ---
[MBR] d6bbf31804145e1567c3136ac647fa30
[BSP] 8d3aa96ab6bafb89ab086b201a911c62 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 107937 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 222343168 | Size: 462 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 223289344 | Size: 11927 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 247717888 | Size: 1148 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: ST1000LM035-1RK172 +++++
--- User ---
[MBR] f7534e6c4f07706266d250adf0af35a7
[BSP] 07bb5fb1a70360bb6362fc4439c721bd : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2048 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK
 

 

Attached Files



#8 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 01 December 2017 - 04:31 AM

Please run FRST again and make sure there is a checkmark next to ‘Addition.txt’ before you hit Scan.

Logs to include with next post:

New Frst.txt
New Addition.txt


Can you tell me if there has been any improvement and what problems remain.

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 wytbro

wytbro
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 01 December 2017 - 09:20 PM

It's fixed now.

Attached Files



#10 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 02 December 2017 - 07:35 AM

Glad things are better. Just a couple of things to tidy up and a final scan.

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

  • right-click FRST/FRST64 and select ‘Run as administrator’
  • highlight the contents of the code box below, then press Ctrl+c):
Start::
CloseProcesses:
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {C78E616A-8237-48E5-AF44-D75E053789C3} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
EmptyTemp:
End::

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • in the FRST window, press the ‘Fix’ button once and wait
  • please reboot the computer if requested
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

===================================================

Run Zemana AntiMalware

Download Zemana AntiMalware:

  • open the program and without changing any options, press Scan
  • after the scan is finished, if threats are detected press Next to remove them

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

  • open Zemana AntiMalware again and locate the report
  • please paste the contents into your reply.

Logs to include with next post:

Fixlog.txt
Zemana AntiMalware results


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 wytbro

wytbro
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 02 December 2017 - 01:56 PM

Attached.

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 02 December 2017 - 03:46 PM

 All looks good. Any remaining problems?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 03 December 2017 - 07:10 AM

I’m afraid that I will not be able to reply for 24 hours as I have to deal with an urgent situation and won’t have access to a computer.

Apologies for the inconvenience.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 wytbro

wytbro
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 03 December 2017 - 10:07 PM

TheonlyproblemIhaveleftisthatusuallythespacebardoesn'tworkwhentypingonthiswebsite.



#15 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:59 AM

Posted 04 December 2017 - 08:06 AM

Only on this site? Which browser are you using?


Edited by satchfan, 04 December 2017 - 08:11 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users