Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Citypage redirect + other malware/adware


  • This topic is locked This topic is locked
10 replies to this topic

#1 ChaikaCherry

ChaikaCherry

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 02 June 2018 - 02:04 PM

Hi, I started experiencing these issues a few days ago and attempted to manually remove them, I couldn't remove the sources so they would just replace themselves at the next reboot. On top of the citypage redirect I removed scanty and other background ad players which have not reappeared but might be lingering somewhere and I cannot locate them, please help!

 

Attached File  FRST.txt   92.11KB   8 downloads

 

Attached File  Addition.txt   91.3KB   5 downloads



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:13 PM

Posted 02 June 2018 - 03:34 PM

Welcome.
 
You will need another computer to download FRST64 to a USB drive, run FRST64 in the Recovery Environment, then back in Normal Mode.

Please download Farbar Recovery Scan Tool in an uninfected computer and save it to a flash drive (Pen Drive).

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.exe

Please also download the attached file and save it in the same location the FRST64 is saved in the flash drive.

Boot to the Recovery Console's Command prompt in the infected computer.

Boot in the Recovery Environment

  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
  • Restart the computer
  • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
  • Use the arrow keys to select Repair your computer, and press on Enter
  • Select your keyboard layout (US, French, etc.) and click on Next
  • Click on Command Prompt to open the command prompt
    Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
    • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    • Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
      • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
      • Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums
      • After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.
      • On the boot options, select Troubleshooting > Advanced Options > Command prompt.

Once in the command prompt

  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • First press the Scan button. That will deactivate the rootkit. Once the scan is finished, press the Fix button
  • These actions will make two logs, a Fixlog.txt and a FRST.txt logs in the flash drive. Please copy and paste them in your reply

Once finished in the Recovery Environment, restart the computer in Normal Mode.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

I will expect the following reports:

Frst.txt produced in the Recovery Console
Fixlog.txt produced in the Recovery Console
Frst.txt produced in Normal Mode
Addition.txt produced in Normal Mode


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 ChaikaCherry

ChaikaCherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 02 June 2018 - 05:31 PM

Here are the four reports requested in order.

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:13 PM

Posted 02 June 2018 - 07:16 PM

Nice logs.

 

 

  • Highlight the entire content of the quote box below.

Start::
C:\Windows\System32\wmehpkcsvc.exe  
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Startup: C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vitesse.lnk [2018-05-30]
Startup: C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vitessevitesse.lnk [2018-05-30]
2018-06-02 18:03 - 2018-06-02 18:03 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\rabnose
2018-06-02 18:00 - 2018-06-02 18:00 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\vdnkbzw
2018-06-02 17:56 - 2018-06-02 17:56 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\vdastux
2018-06-02 17:26 - 2018-06-02 17:26 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\mbrctdw
2018-06-02 17:23 - 2018-06-02 17:23 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\cwibxlu
2018-06-02 17:21 - 2018-06-02 17:21 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\raihndc
2018-06-02 17:18 - 2018-06-02 17:18 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\exorsuh
2018-05-30 02:40 - 2018-05-30 02:40 - 000020519 _____ (LinishqX) C:\Users\Gage Cencer\AppData\Local\Temp\cubesta.exe
2018-06-01 14:12 - 2018-05-30 08:38 - 011609024 _____ (SurfRight B.V.) C:\Users\Gage Cencer\AppData\Local\Temp\HitmanPro.exe
2018-05-30 03:12 - 2018-04-03 20:40 - 000375384 _____ (Symantec Corporation) C:\Users\Gage Cencer\AppData\Local\Temp\SEVINST64x86.EXE
Task: {BC894C9C-6EFD-49A7-A544-E92E8FABCF64} - System32\Tasks\technocrat_athwart => C:\Users\Gage Cencer\AppData\Local\Solubility.exe
Task: {E2F34C77-AF3E-466E-9810-CEDD87640B5D} - System32\Tasks\technocrat_athwarttechnocrat_athwart => C:\Users\Gage Cencer\AppData\Local\Solubility.exe
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    5ace519a6ff4a_Dashboard-firstrun.png.567
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

  • Copy/pasted Fixlog.txt log


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 ChaikaCherry

ChaikaCherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 02 June 2018 - 09:29 PM

--------FRST Fixlog--------------

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.06.2018
Ran by Gage Cencer (02-06-2018 21:24:30) Run:2
Running from C:\Users\Gage Cencer\Desktop
Loaded Profiles: Gage Cencer (Available Profiles: Gage Cencer & OVRLibraryService)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
C:\Windows\System32\wmehpkcsvc.exe  
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Startup: C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vitesse.lnk [2018-05-30]
Startup: C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vitessevitesse.lnk [2018-05-30]
2018-06-02 18:03 - 2018-06-02 18:03 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\rabnose
2018-06-02 18:00 - 2018-06-02 18:00 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\vdnkbzw
2018-06-02 17:56 - 2018-06-02 17:56 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\vdastux
2018-06-02 17:26 - 2018-06-02 17:26 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\mbrctdw
2018-06-02 17:23 - 2018-06-02 17:23 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\cwibxlu
2018-06-02 17:21 - 2018-06-02 17:21 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\raihndc
2018-06-02 17:18 - 2018-06-02 17:18 - 000000000 ____D C:\Users\Gage Cencer\AppData\Local\exorsuh
2018-05-30 02:40 - 2018-05-30 02:40 - 000020519 _____ (LinishqX) C:\Users\Gage Cencer\AppData\Local\Temp\cubesta.exe
2018-06-01 14:12 - 2018-05-30 08:38 - 011609024 _____ (SurfRight B.V.) C:\Users\Gage Cencer\AppData\Local\Temp\HitmanPro.exe
2018-05-30 03:12 - 2018-04-03 20:40 - 000375384 _____ (Symantec Corporation) C:\Users\Gage Cencer\AppData\Local\Temp\SEVINST64x86.EXE
Task: {BC894C9C-6EFD-49A7-A544-E92E8FABCF64} - System32\Tasks\technocrat_athwart => C:\Users\Gage Cencer\AppData\Local\Solubility.exe
Task: {E2F34C77-AF3E-466E-9810-CEDD87640B5D} - System32\Tasks\technocrat_athwarttechnocrat_athwart => C:\Users\Gage Cencer\AppData\Local\Solubility.exe
EMPTYTEMP:
Reboot:
 
*****************
 
C:\Windows\System32\wmehpkcsvc.exe => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vitesse.lnk => moved successfully
C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vitessevitesse.lnk => moved successfully
C:\Users\Gage Cencer\AppData\Local\rabnose => moved successfully
C:\Users\Gage Cencer\AppData\Local\vdnkbzw => moved successfully
C:\Users\Gage Cencer\AppData\Local\vdastux => moved successfully
C:\Users\Gage Cencer\AppData\Local\mbrctdw => moved successfully
C:\Users\Gage Cencer\AppData\Local\cwibxlu => moved successfully
C:\Users\Gage Cencer\AppData\Local\raihndc => moved successfully
C:\Users\Gage Cencer\AppData\Local\exorsuh => moved successfully
C:\Users\Gage Cencer\AppData\Local\Temp\cubesta.exe => moved successfully
C:\Users\Gage Cencer\AppData\Local\Temp\HitmanPro.exe => moved successfully
C:\Users\Gage Cencer\AppData\Local\Temp\SEVINST64x86.EXE => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BC894C9C-6EFD-49A7-A544-E92E8FABCF64}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BC894C9C-6EFD-49A7-A544-E92E8FABCF64}" => removed successfully
C:\WINDOWS\System32\Tasks\technocrat_athwart => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\technocrat_athwart" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E2F34C77-AF3E-466E-9810-CEDD87640B5D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E2F34C77-AF3E-466E-9810-CEDD87640B5D}" => removed successfully
C:\WINDOWS\System32\Tasks\technocrat_athwarttechnocrat_athwart => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\technocrat_athwarttechnocrat_athwart" => removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6732463 B
Java, Flash, Steam htmlcache => 20583986 B
Windows/system/drivers => 1698387 B
Edge => 528161 B
Chrome => 481581819 B
Firefox => 128971164 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 19342 B
LocalService => 0 B
NetworkService => 29422 B
NetworkService => 0 B
Gage Cencer => 336754708 B
OVRLibraryService => 6656 B
 
RecycleBin => 14477062 B
EmptyTemp: => 953 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 21:25:04 ====
 
 
 
------------------Roguekiller log--------------------------
 
RogueKiller V12.12.19.0 (x64) [May 28 2018] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : Gage Cencer [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 06/02/2018 21:42:03 (Duration : 00:29:54)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1129355763-8270084-977103279-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1129355763-8270084-977103279-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 3 ¤¤¤
[PUP.AutoIt.Gen][File] C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\OP Auto Clicker.lnk [LNK@] C:\Users\GAGECE~1\Desktop\AUTOCL~1.EXE -> Removed at reboot [2]
[Root.Wajam][File] C:\Windows\System32\drivers\875cb38a44d7e49849d33d074e9b8a26.sys -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 3 ¤¤¤
[PUM.HomePage][Firefox:Config] el6pmq0a.default : user_pref("browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/"); -> Replaced (about:home)
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://www.ecsd.us/] -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.youtube.com/|] -> Deleted
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: KINGSTON RBU-SNS8152S3256GG5 +++++
--- User ---
[MBR] 418252a338b6c5b9b3f422abcc474467
[BSP] 166c3b46925c64813d0bbdbedbebfd02 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 616448 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 878592 | Size: 242374 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 497262592 | Size: 493 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 498274304 | Size: 900 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: HGST HTS721010A9E630 +++++
--- User ---
[MBR] 64fff22da718b6fa3500c801fc02f20f
[BSP] e3920e12c68ae4809dcca3d15b4446b6 : Empty MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 935804 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1916528640 | Size: 18064 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
-----------------And AdwCleaner Log------------------
# -------------------------------
# Malwarebytes AdwCleaner 7.1.1.0
# -------------------------------
# Build:    04-27-2018
# Database: 2018-05-29.2
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    05-30-2018
# Duration: 00:00:04
# OS:       Windows 10 Home
# Cleaned:  26
# Failed:   2
 
 
***** [ Services ] *****
 
Deleted       Quoteex
Deleted       8130e836b563cc10084526e65d0a3c4f
Deleted       5aa66834f2146d777f1d33729cb334df
Deleted       backlh
Deleted       windowsmanagementservice
 
***** [ Folders ] *****
 
Deleted       C:\Users\Gage Cencer\AppData\Roaming\AGData
Deleted       C:\Users\Gage Cencer\AppData\Local\AdvinstAnalytics
Deleted       C:\Users\Gage Cencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
Deleted       C:\Windows\Syswow64\SSL
Deleted       C:\Windows\Temp\Smartbar
 
***** [ Files ] *****
 
No malicious files cleaned.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
Deleted       C:\Windows\System32\Tasks\AGProxyCheck
 
***** [ Registry ] *****
 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3AAEB561-A4DE-4451-865F-FD4F77929EA1} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AGProxyCheck
Deleted       HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AnonymizerGadget
Deleted       HKLM\Software\Wow6432Node\xs
Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{BA95F118-A1EF-4DDB-8AAC-54B52D754C88}
Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{6F84C83E-06E7-452D-9148-DBF7C03BF52C}
Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{25703517-1ADD-40D2-8590-7F1437B5FDB3}C:\program files (x86)\bitlord\bitlord.exe
Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{A4D389FE-D04F-41E0-A234-42D904BDCAEC}C:\program files (x86)\bitlord\bitlord.exe
Deleted       HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quoteex.exe
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quoteex.exe
Deleted       HKU\S-1-5-18\Software\Caphyon\Advanced Updater\{F039D4A9-14D3-4425-A4FA-F2F9D5B0E014}
Deleted       HKU\.DEFAULT\Software\Caphyon\Advanced Updater\{F039D4A9-14D3-4425-A4FA-F2F9D5B0E014}
 
***** [ Chromium (and derivatives) ] *****
 
Not Deleted   Bazz Search SafeFinder
 
***** [ Chromium URLs ] *****
 
Deleted       Ask
Deleted       Search Here
Deleted       AOL
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries cleaned.
 
***** [ Firefox URLs ] *****
 
Not Deleted   suggestqueries.google.com
 
 
*************************
 
[+] Delete Tracing Keys
[+] Reset Winsock
 
*************************
 
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
 


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:13 PM

Posted 02 June 2018 - 09:33 PM

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 ChaikaCherry

ChaikaCherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 02 June 2018 - 09:35 PM

I have yet to be redirected to any other search so I think it's fixed, thank you very much! And would you be able to delete this thread? If any more problems arise I will message you.



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:13 PM

Posted 02 June 2018 - 09:49 PM

The thread cannot be deleted as a rule. What bothers you about it?

 

Use this application to remove quarantined items:

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 ChaikaCherry

ChaikaCherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 02 June 2018 - 09:55 PM

There was nothing that bothered me I didn't know there was moreto do is all,

my bad. Thank you for helping me.



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:13 PM

Posted 02 June 2018 - 10:07 PM

You are welcome. :)

 

Since there are no signs of infection anymore , I guess we're done here.
 
Windows Updates
 
Keeping Windows up to date is one of the first steps in having a safe and secure system.


Keeping your programs up-to-date
 
As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:

As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.
 
Other recommendations
 
It's your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.
Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :

Best regards. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:13 PM

Posted 04 June 2018 - 06:17 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users