Kryptico Posted April 5, 2016 ID:1031720 Share Posted April 5, 2016 Hello, I have seen a lot of good posts on here resolving the same type of issue but with older versions of Windows. I am using Windows 10 Pro and I just would like some help tailored for me. I became infected while trying to download a serial to usb driver online. (sneaky viruses) I know because it was constantly running adware through the speakers and hijacking my browser for ads as well. I could tell as soon as it downloaded it was malicious. I was not able to use windows defender so I went to regedit and reset the value for do not use antimalware. Defender did not help. I attempted to download MBAM directly to infect laptop. Received an error, would not let me download Downloaded MBAM to usb drive and put on laptop, ran MBAM. Lots of malware, all deleted. Or so I thought. Still having issues. Tried emsisoft, problems persist. Ran RKill. Keeps shutting down a proxy server. Active Proxy Server Detected * Proxy Disabled. * ProxyOverride value deleted. * ProxyServer value deleted. * AutoConfigURL value deleted. * Proxy settings were backed up to Registry file. Ran multiple programs multiple times, no malware detected, ads still running. Hopefully this helps. Thanks In Advance! Also I am starting to become really interested in cyber security after three days of trying to get at this virus so explanations and other reading materials are greatly appreciated. R, Cody Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 5, 2016 ID:1031752 Share Posted April 5, 2016 Hello and In order to help you and to see what is going on we need some reports from your computer. If you're unable to download FRST tool from infected machine, you can download it and transfer from non-infected computer. Link to post Share on other sites More sharing options...
Kryptico Posted April 6, 2016 Author ID:1031928 Share Posted April 6, 2016 Attached are the FRST and Addition Files. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 6, 2016 ID:1032011 Share Posted April 6, 2016 Fix with Farbar Recovery Scan Tool This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable. Download attached fixlist.txt file and save it to the Desktop:Both files, FRST and fixlist.txt have to be in the same location or the fix will not work! Right-click on icon and select Run as Administrator to start the tool. (XP users click run after receipt of Windows Security Warning - Open File). Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. Please attach it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
Kryptico Posted April 6, 2016 Author ID:1032026 Share Posted April 6, 2016 Ok, Fixlog attached. Does this mean I am virus free? What was it? Fixlog.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 6, 2016 ID:1032027 Share Posted April 6, 2016 It was malware called Dotdo --> https://blog.malwarebytes.org/cybercrime/2016/03/adware-pup-dotdo-fastinternet-blocks-security-related-domains/ Your PC should be clean now, but let's run MalwareBytes scan for non-active remnants cleanup. Scan with Malwarebytes' Anti-MalwarePlease download Malwarebytes Anti-Malware and save it to your desktop. Install the progam and select update. Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits. In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware. Click the Scan tab, choose Threat Scan is checked and click Start Scan. If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes. Upon completion of the scan (or after the reboot), click the History tab. Click Application Logs and double-click the Scan Log. At the bottom click Export and choose Text file. Save the file to your desktop and include its content in your next reply. Link to post Share on other sites More sharing options...
Kryptico Posted April 6, 2016 Author ID:1032034 Share Posted April 6, 2016 Attached Log. Scan Log MBAM.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032122 Share Posted April 7, 2016 Very good. Is everything running fine now? Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032186 Share Posted April 7, 2016 Yeah, so far so good. Thank you very much!! Is there anything else I need to do? Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032188 Share Posted April 7, 2016 No, this was everything: Since there are no more problems, we can declare this PC clean Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones. Step 1. - Creation of system restore point and tools removal. Download DelFix by Xplode and save it to your desktop. Run the tool by right click on the icon and Run as administrator option. Make sure that these ones are checked:Remove disinfection tools Purge system restore Reset system settings Push Run and wait until the tool completes his work. All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review. Tool deletes old system restore points and creates a fresh system restore point after cleaning. Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape. Security tips - highly recommended reading: Simple and easy ways to keep your computer safe and secure on the InternetMaintenance tips: Optimize Windows for better performanceAdditional software that I personally use and install on all my clients devices: Malwarebytes' Anti-Malware(paid version highly recommended) - to scan your system from time to time in search for malware. Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities. McShield - to prevent infections spread by removable media. Unchecky - to prevent from installing additional foistware, implemented in legitimate installations. CryptoPrevent - tool for protection against Cryptolocker and similar ransomware infections. Adblock - to surf the web without annoying ads! Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date. My help is free for everybody. If you're happy with the help provided and/or wish to show your appreciaton, please consider a donation: Thank you! Stay safe, TwinHeadedEagle Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032196 Share Posted April 7, 2016 New development, I am still having issues. I tried to download the link you supplied and I got a proxy server error. I did some searching and found a few things that I am unsure of. The two files I found are called ceement and adxregistrator. I found the adxregistrator in my users>documents>add-in express. It looks suspicious because it elevates control and disables functions and enable some kind of stealth mode. Also my chrome proxy settings are grayed out. Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032200 Share Posted April 7, 2016 Hmm, could be something left in registry that is locking down proxy settings. Can you supply me with fresh FRST scan report? Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032202 Share Posted April 7, 2016 Attached FRST.txt Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032217 Share Posted April 7, 2016 Also here is a copy of those suspicious files. I know you know what you are doing but if anyone else is reading this, don't open the files attached please. Copy of Ceement file.txt Copy of adxregistrator.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032221 Share Posted April 7, 2016 These files look legit. You can always scan them with VirusTotal to see if they are malicious. Fix with Farbar Recovery Scan Tool This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable. Download attached fixlist.txt file and save it to the Desktop:Both files, FRST and fixlist.txt have to be in the same location or the fix will not work! Right-click on icon and select Run as Administrator to start the tool. (XP users click run after receipt of Windows Security Warning - Open File). Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. Please attach it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032224 Share Posted April 7, 2016 Fixlog attached Fixlog.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032225 Share Posted April 7, 2016 Is should be fixed now? Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032229 Share Posted April 7, 2016 I still cannot go to bleepingcomputer to download the Delfix. I thought it could be that MBAM and Emsisoft were at odds so I uninstalled emsisoft. I will check for other virus programs but the ERR_PROXY_CONNECTION_FAILED is what keeps displaying on my chrome browser. Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032232 Share Posted April 7, 2016 Where are you starting Google Chrome from? This malware is creating Google Chrome shortcut with argument to apply proxy setting upon start. Right click on Google Chrome shortcut, click Properties and make a picture of this window. Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032236 Share Posted April 7, 2016 Think you are right Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032280 Share Posted April 7, 2016 Okay, please delete the part after " and press okay. It should be like this now: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Link to post Share on other sites More sharing options...
Kryptico Posted April 7, 2016 Author ID:1032286 Share Posted April 7, 2016 Ok, done. I was able to download the Delfix program and ran it as instructed. Hopefully now I am safe? The computer is much faster and I haven't detected any more issues. Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted April 7, 2016 ID:1032333 Share Posted April 7, 2016 Yes, you're good to go now. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 12, 2016 Root Admin ID:1033383 Share Posted April 12, 2016 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts