Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange things after W10 restoration including firefox porn pop up at startup


  • Please log in to reply
9 replies to this topic

#1 MetalowaGlowa

MetalowaGlowa

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:45 PM

Posted 26 January 2018 - 05:10 PM

Hi there,

recently (2 weeks ago) there was this huge W10 update. Didn't like it since it broke most of my applications.

So I reverted to a previous compilation. The next day it started updating again. I closed the lid of my laptop and...I broke the system.

Got a starter usb and reverted system to a default state.

All applications have been removed, there is even a log for that <wow>.

So I started installing all the necessary stuff and I guess i must have been using internet for few minutes without any security and here is what I'm dealing with now: 

 

After W10 starts - there is a single Firefox pop up with random letter like "wsqaaidfuoqwejfkxvlcjl..." and some porn site. It's activated only in the bar at the bottom. I can view it in a small window (going with a cursor on the bar) but I can't maximize it. Not that I want to ;)

Funny thing is - I don't have the Firefox installed. There must be some remnants of the previous W10 compilation since there is a "Windows.old" folder on the C drive.

I have used Malwarebytes software and something has been quarantined.

Additionaly sometimes I'm getting a pop-up window from Malwarebytes that an attempted connection has been blocked from: "adnium" or "8star888.org"

 

I really would appreciate some help.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:45 AM

Posted 26 January 2018 - 05:31 PM

Use the programs below to clean, remove malware and remove adware.

 

You can use Windows Cleanup to remove the Windows.old folder.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 MetalowaGlowa

MetalowaGlowa
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:45 PM

Posted 27 January 2018 - 12:35 PM

Removed windows.old with system cleaning - still have to choose system version. Guess something must have remained.
 
Did all the scans, below are the logs. Not much has changed though. Firefox popup still pops up.
 
Eset found something (4 somethings to be exact) but it claims they have been removed.
 
# AdwCleaner 7.0.7.0 - Logfile created on Sat Jan 27 12:24:22 2018
# Updated on 2018/18/01 by Malwarebytes 
# Database: 01-26-2018.1
# Running on Windows 10 Home (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [1423 B] - [2018/1/22 17:45:23]
C:/AdwCleaner/AdwCleaner[S0].txt - [1332 B] - [2016/11/21 12:1:48]
C:/AdwCleaner/AdwCleaner[S1].txt - [1274 B] - [2018/1/22 17:42:53]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt ##########
 
 
ESET:
C:\Games\hi-mohuetec\hi-mohuetec.iso a variant of Win32/HackTool.Crack.EN potentially unsafe application deleted
C:\Users\metalowa_glowa\Documents\Downloads\ccsetup539.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\metalowa_glowa\Documents\Downloads\uTorrent.exe a variant of MSIL/WebCompanion.A potentially unwanted application,a variant of Win32/WebCompanion.B potentially unwanted application cleaned by deleting
D:\MUZA JEDNA I NIEPODZIELNA\Lordi\Lordi - The Arockalypse\Unlimitierte Musik Downloads! Jetzt kostenlos anmelden!.url LNK/Agent.CH trojan cleaned by deleting
 
AntiRootkit:
Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2018.01.27.02
  rootkit: v2018.01.23.01
 
Windows 10 x64 NTFS
Internet Explorer 11.192.16299.0
metalowa_glowa :: METALOWAGLOWA [administrator]
 
2018-01-27 16:36:35
mbar-log-2018-01-27 (16-36-35).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 223270
Time elapsed: 18 minute(s), 30 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:45 AM

Posted 27 January 2018 - 01:25 PM

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 MetalowaGlowa

MetalowaGlowa
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:45 PM

Posted 27 January 2018 - 02:11 PM

Startup:

 

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run DAEMON Tools Lite Automount Disc Soft Ltd "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun
Yes HKCU:Run firefox Mozilla Corporation "C:\Users\metalowa_glowa\AppData\Roaming\ComObject\update.exe" about:robots
Yes HKCU:Run OneDrive Microsoft Corporation "C:\Users\metalowa_glowa\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Yes HKLM:Run AvastUI.exe AVAST Software "C:\Program Files\AVAST Software\Avast\AvLaunch.exe" /gui
Yes HKLM:Run HotKeysCmds Intel Corporation "C:\WINDOWS\system32\hkcmd.exe"
Yes HKLM:Run IgfxTray Intel Corporation "C:\WINDOWS\system32\igfxtray.exe"
Yes HKLM:Run Persistence Intel Corporation "C:\WINDOWS\system32\igfxpers.exe"
Yes HKLM:Run RtHDVBg Realtek Semiconductor C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX3
Yes HKLM:Run RTHDVCPL Realtek Semiconductor C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
Yes HKLM:Run SecurityHealth Microsoft Corporation %ProgramFiles%\Windows Defender\MSASCuiL.exe
 
Scheduled:
 
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task klcp_update "%ProgramFiles(x86)%\K-Lite Codec Pack\Tools\CodecTweakTool.exe" /verysilent /update /freq=30
Yes Task OneDrive Standalone Update Task-S-1-5-21-1362770674-4107001041-3769634335-1000 Microsoft Corporation %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
 
 
Uninstall:
 
AIMP AIMP DevTeam 2018-01-22 v4.50.2058, 27.12.2017
Alarmy i zegar Microsoft Corporation 2018-01-21 10.1712.3352.0
Aparat Microsoft Corporation 2018-01-21 2017.1117.10.0
Avast Free Antivirus AVAST Software 2018-01-21 17.9.2322
Battle.net Blizzard Entertainment 2018-01-21
CCleaner Piriform 2018-01-26 5.39
Centrum opinii Microsoft Corporation 2018-01-21 1.1711.3412.0
DAEMON Tools Lite Disc Soft Ltd 2018-01-22 10.7.0.0337
DARK SOULS™ II: Scholar of the First Sin FromSoftware, Inc 2018-01-21
Dragon Age - Origins - Ultimate Edition GOG.com 2018-01-27 1,84 MB 2.0.0.3
Filmy i TV Microsoft Corporation 2018-01-21 10.17112.13411.0
Galactic Civilizations I: Ultimate Edition Stardock Entertainment 2018-01-27
Google Chrome Google Inc. 2018-01-21 63.0.3239.132
Host środowiska Sklepu Microsoft Corporation 2018-01-21 11712.1801.10002.0
Instalator aplikacji Microsoft Corporation 2018-01-21 1.0.12894.0
K-Lite Mega Codec Pack 13.7.5 KLCP 2018-01-22 164 MB 13.7.5
Kalkulator Microsoft Corporation 2018-01-21 10.1712.3351.0
Kontakty Microsoft Corporation 2018-01-21 10.3.3472.0
Mapy Microsoft Corporation 2018-01-21 5.1708.2764.0
Microsoft Office Language Pack 2010 - Polish/Polski Microsoft Corporation 2018-01-23 14.0.7015.1000
Microsoft Office Professional Plus 2010 Microsoft Corporation 2018-01-22 14.0.4734.1000
Microsoft OneDrive Microsoft Corporation 2018-01-25 101 MB 17.3.7294.0108
Microsoft Pay Microsoft Corporation 2018-01-24 2.1.18011.0
Microsoft Solitaire Collection Microsoft Studios 2018-01-21 3.18.12091.0
Microsoft Sticky Notes Microsoft Corporation 2018-01-21 2.0.5.0
Microsoft Store Microsoft Corporation 2018-01-21 11712.1001.13.0
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 2018-01-27 3,16 MB 8.0.59193
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 2018-01-27 7,00 MB 8.0.56336
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Corporation 2018-01-21 13,2 MB 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 2018-01-21 10,1 MB 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 Microsoft Corporation 2018-01-21 13,8 MB 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 2018-01-21 11,1 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 Microsoft Corporation 2018-01-22 20,5 MB 11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 Microsoft Corporation 2018-01-22 17,3 MB 11.0.61030.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 Microsoft Corporation 2018-01-21 20,5 MB 12.0.21005.1
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Microsoft Corporation 2018-01-21 17,1 MB 12.0.21005.1
Muzyka Groove Microsoft Corporation 2018-01-21 10.17086.24711.0
Mój Office Microsoft Corporation 2018-01-21 17.8830.7600.0
NapiProjekt (2.2.0.2399) 2018-01-25 20,4 MB
NVIDIA Oprogramowanie systemu PhysX 9.15.0428 NVIDIA Corporation 2018-01-27 9.15.0428
NVIDIA PhysX (Legacy) NVIDIA Corporation 2018-01-27 42,2 MB 9.13.0604
OneNote Microsoft Corporation 2018-01-21 17.8827.20991.0
Paint 3D Microsoft Corporation 2018-01-21 3.1712.7027.0
Pinnacle Game Profiler PowerUp Software 2018-01-21 8.2.8
Plany taryfowe Microsoft Corporation 2018-01-21 3.1710.3044.0
Poczta i Kalendarz Microsoft Corporation 2018-01-26 17.8827.21595.0
Pogoda Microsoft Corporation 2018-01-21 4.22.3254.0
Print 3D Microsoft Corporation 2018-01-21 2.0.3621.0
Przeglądarka rzeczywistości mieszanej Microsoft Corporation 2018-01-21 2.1801.4012.0
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 2018-01-21 6.0.1.6312
Rejestrator głosu Microsoft Corporation 2018-01-21 10.1712.3351.0
Sid Meier's Civilization IV Firaxis Games 2018-01-27
Skype Skype 2018-01-21 12.13.274.0
Steam Valve Corporation 2018-01-21 2.10.91.91
Synaptics Pointing Device Driver Synaptics Incorporated 2018-01-21 46,4 MB 19.2.17.55
Telefon Microsoft Corporation 2018-01-21 3.34.12002.0
Uzyskaj pomoc Microsoft Corporation 2018-01-21 10.1706.3471.0
Wiadomości Microsoft Corporation 2018-01-21 3.34.25004.0
Wskazówki Microsoft Corporation 2018-01-21 6.7.3462.0
wxLauncher wxLauncher Team 2018-01-27 0.10.1
Xbox Microsoft Corporation 2018-01-21 36.36.12003.0
Xbox Game bar Microsoft Corporation 2018-01-21 1.24.5001.0
Xbox Game Speech Window Microsoft Corporation 2018-01-21 1.21.13002.0
Xbox Identity Provider Microsoft Corporation 2018-01-21 12.30.5001.0
Xbox Live Microsoft Corporation 2018-01-21 1.11.29001.0
Zdjęcia Microsoft Corporation 2018-01-21 2017.39101.16720.0
µTorrent BitTorrent Inc. 2018-01-21 3.5.1.44332
 


#6 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:45 AM

Posted 27 January 2018 - 03:05 PM

Disable these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run DAEMON Tools Lite Automount Disc Soft Ltd "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun
Yes HKCU:Run OneDrive Microsoft Corporation "C:\Users\metalowa_glowa\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Yes HKLM:Run IgfxTray Intel Corporation "C:\WINDOWS\system32\igfxtray.exe"
 
Delete this Windows Startup: Use CCleaner by clicking on it and choosing Delete on the right.
Yes HKCU:Run firefox Mozilla Corporation "C:\Users\metalowa_glowa\AppData\Roaming\ComObject\update.exe" about:robots
 
Disable these Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task klcp_update "%ProgramFiles(x86)%\K-Lite Codec Pack\Tools\CodecTweakTool.exe" /verysilent /update /freq=30
Yes Task OneDrive Standalone Update Task-S-1-5-21-1362770674-4107001041-3769634335-1000 Microsoft Corporation %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
 
Uninstall µTorrent BitTorrent Inc. 2018-01-21 3.5.1.44332.....More than half of all free downloads on uTorrent will be bundled with malware and sometimes illegal.
 

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 MetalowaGlowa

MetalowaGlowa
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:45 PM

Posted 27 January 2018 - 03:17 PM

Thank You so much BC Advisor!

Looks like everything did the trick.

Didn't expect that the system would get such a boost.

 

Really happy:)

Guess we can call it a night and close the topic:)



#8 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:45 AM

Posted 27 January 2018 - 03:35 PM

Okay...give a couple reboots between now and tomorrow....sometimes these things have a second life.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 MetalowaGlowa

MetalowaGlowa
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:45 PM

Posted 01 February 2018 - 04:33 PM

Still alive and kicking. All works fine. Think we may end this journey since we have reached our goal :) so happy!



#10 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:45 AM

Posted 01 February 2018 - 06:23 PM

Thanks for posting back....happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users