Jump to content

AdwC leaves registry posts from "jhdbca"


Ender
 Share

Recommended Posts

Hello, because i was dumb, i had some problems with a browser hijacker last night. I think managed to remove everything but a few registry posts that keep coming back.

I have run AdwC, Malwarebytes and JRT. Ran the computer with clean boot. Tried in safe mode.

I manually went to delete the posts, came back on reboot

Even if AdwC seems to be able to remove some of them, the do come back after a short while.

I ran FRST as i noticed it is usually something that is asked for, i uploaded the logs.

If there is something i forgot to upload please say so.

I am not that used to these things so if someone have any ideas i would be happy for any help.

The keys are:

HKU\.DEFAULT\Software\jhdbca
 HKU\S-1-5-18\Software\jhdbca
HKLM\SOFTWARE\jhdbca
[x64] HKLM\SOFTWARE\jhdbca

 

Thanks guys. =)
 

AdwCleaner[C9].txt

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Staff

Hello,

Thank you for providing the logreports, it has been useful.

Please do the following in order to fix your issues. Some elements were not handled by AdwCleaner and it's pretty strange, that's why the script below includes a part to zip and upload a few interesting files.

Download fixlist.txt file and save it to the Desktop (right-click on the link -> save as, with the name "fixlist.txt")

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Then, a file named Upload.zip should be in your desktop. Please upload it to https://up2sha.re/ and paste the generated link in your answer.

Thanks,

Link to post
Share on other sites

  • Staff

Hello,

Thanks, it's interesting.

    Please download MBAM: https://www.malwarebytes.com/mwb-download/thankyou/
    On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
    Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    When the Scan is complete, select Apply Actions to any found entries.
    Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
    After the restart once you are back at your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the Scan log which shows the Date and time of the scan just performed.
    Click Export > Copy to Clipboard and paste the content in your next answer on the forum.

Thanks!

 

Link to post
Share on other sites

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2016-11-23
Scan Time: 20:30
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.23.14
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: phili_000

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 373945
Time Elapsed: 7 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 3
PUP.Optional.Elex, C:\ProgramData\WinSAPSvc\WinSAP.dll, Delete-on-Reboot, [3e7ccbf8faa01d19ba682f90da297090], 
PUP.Optional.Elex, C:\Program Files (x86)\WinArcher\Archer.dll, Delete-on-Reboot, [98223a890199ff37e83f6a55798a738d], 
Adware.Elex, C:\Program Files (x86)\Common Files\Services\iThemes.dll, Delete-on-Reboot, [febcf4cfe0ba46f0116ec21b5ea54eb2], 

Registry Keys: 5
Adware.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\iThemes5, Quarantined, [febcf4cfe0ba46f0116ec21b5ea54eb2], 
PUP.Optional.Elex, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{198B5DCD-7FF1-4035-9869-5EBC82E51029}, Quarantined, [8a303d86eab0191d2300442036cd956b], 
PUP.Optional.Elex, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ChelfNotify Task, Quarantined, [19a13d8651494aeca57f1f45ce35a35d], 
PUP.Optional.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Archer, Quarantined, [00ba5370adede551cfef9530669dfc04], 
PUP.Optional.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinSAPSvc, Quarantined, [6b4fbe05cad02412dae53e87d2317090], 

Registry Values: 1
PUP.Optional.Elex, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{198B5DCD-7FF1-4035-9869-5EBC82E51029}|Path, \ChelfNotify Task, Quarantined, [8a303d86eab0191d2300442036cd956b]

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.Elex, C:\ProgramData\WinSAPSvc, Delete-on-Reboot, [3e7ccbf8faa01d19ba682f90da297090], 
PUP.Optional.Elex, C:\Program Files (x86)\WinArcher, Delete-on-Reboot, [98223a890199ff37e83f6a55798a738d], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 

Files: 8
Adware.Elex.Generic, C:\Users\phili_000\Desktop\23.11.2016_19.14.55.zip, Quarantined, [16a4d5ee762479bd7ad7fddff21135cb], 
PUP.Optional.Elex, C:\Windows\System32\Tasks\ChelfNotify Task, Quarantined, [dddd1ba873272a0c02235113e1222ad6], 
PUP.Optional.Elex, C:\ProgramData\WinSAPSvc\WinSAP.dll, Delete-on-Reboot, [3e7ccbf8faa01d19ba682f90da297090], 
PUP.Optional.Elex, C:\Program Files (x86)\WinArcher\Archer.dll, Delete-on-Reboot, [98223a890199ff37e83f6a55798a738d], 
Adware.Elex, C:\Program Files (x86)\Common Files\Services\iThemes.dll, Delete-on-Reboot, [febcf4cfe0ba46f0116ec21b5ea54eb2], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify\9.3.6494.400.manifest, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify\BrowserUpdate.exe, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify\chrome_elf.dll, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.