AdwC leaves registry posts from "jhdbca"

[Ender]

Hello, because i was dumb, i had some problems with a browser hijacker last night. I think managed to remove everything but a few registry posts that keep coming back.

I have run AdwC, Malwarebytes and JRT. Ran the computer with clean boot. Tried in safe mode.

I manually went to delete the posts, came back on reboot

Even if AdwC seems to be able to remove some of them, the do come back after a short while.

I ran FRST as i noticed it is usually something that is asked for, i uploaded the logs.

If there is something i forgot to upload please say so.

I am not that used to these things so if someone have any ideas i would be happy for any help.

The keys are:

HKU\.DEFAULT\Software\jhdbca
 HKU\S-1-5-18\Software\jhdbca
HKLM\SOFTWARE\jhdbca
[x64] HKLM\SOFTWARE\jhdbca

 

Thanks guys. =)
 

AdwCleaner[C9].txt

Addition.txt

FRST.txt

[jboursier]

Hello,

Thank you for providing the logreports, it has been useful.

Please do the following in order to fix your issues. Some elements were not handled by AdwCleaner and it's pretty strange, that's why the script below includes a part to zip and upload a few interesting files.

Download fixlist.txt file and save it to the Desktop (right-click on the link -> save as, with the name "fixlist.txt")

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Then, a file named Upload.zip should be in your desktop. Please upload it to https://up2sha.re/ and paste the generated link in your answer.

Thanks,

[Ender]

Hello, thank you for the reply. 

I just got home from work and i am running the fix now. The program had been searching for roughly 40 mins now. But i guess this is normal.

As soon as it is done i will upload.

[Ender]

It is still searching now, 2 hours has passed. Is this normal? 

[Ender]

Okay, out of nowhere it started and finished in a few minutes. 

Zip:

https://up2sha.re/file?f=QHXmOXesr8a7

Fixlog.txt

[jboursier]

Hello,

Thanks, it's interesting.

    Please download MBAM: https://www.malwarebytes.com/mwb-download/thankyou/
    On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
    Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    When the Scan is complete, select Apply Actions to any found entries.
    Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
    After the restart once you are back at your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the Scan log which shows the Date and time of the scan just performed.
    Click Export > Copy to Clipboard and paste the content in your next answer on the forum.

Thanks!

 

[Ender]

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2016-11-23
Scan Time: 20:30
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.23.14
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: phili_000

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 373945
Time Elapsed: 7 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 3
PUP.Optional.Elex, C:\ProgramData\WinSAPSvc\WinSAP.dll, Delete-on-Reboot, [3e7ccbf8faa01d19ba682f90da297090], 
PUP.Optional.Elex, C:\Program Files (x86)\WinArcher\Archer.dll, Delete-on-Reboot, [98223a890199ff37e83f6a55798a738d], 
Adware.Elex, C:\Program Files (x86)\Common Files\Services\iThemes.dll, Delete-on-Reboot, [febcf4cfe0ba46f0116ec21b5ea54eb2], 

Registry Keys: 5
Adware.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\iThemes5, Quarantined, [febcf4cfe0ba46f0116ec21b5ea54eb2], 
PUP.Optional.Elex, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{198B5DCD-7FF1-4035-9869-5EBC82E51029}, Quarantined, [8a303d86eab0191d2300442036cd956b], 
PUP.Optional.Elex, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ChelfNotify Task, Quarantined, [19a13d8651494aeca57f1f45ce35a35d], 
PUP.Optional.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Archer, Quarantined, [00ba5370adede551cfef9530669dfc04], 
PUP.Optional.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinSAPSvc, Quarantined, [6b4fbe05cad02412dae53e87d2317090], 

Registry Values: 1
PUP.Optional.Elex, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{198B5DCD-7FF1-4035-9869-5EBC82E51029}|Path, \ChelfNotify Task, Quarantined, [8a303d86eab0191d2300442036cd956b]

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.Elex, C:\ProgramData\WinSAPSvc, Delete-on-Reboot, [3e7ccbf8faa01d19ba682f90da297090], 
PUP.Optional.Elex, C:\Program Files (x86)\WinArcher, Delete-on-Reboot, [98223a890199ff37e83f6a55798a738d], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 

Files: 8
Adware.Elex.Generic, C:\Users\phili_000\Desktop\23.11.2016_19.14.55.zip, Quarantined, [16a4d5ee762479bd7ad7fddff21135cb], 
PUP.Optional.Elex, C:\Windows\System32\Tasks\ChelfNotify Task, Quarantined, [dddd1ba873272a0c02235113e1222ad6], 
PUP.Optional.Elex, C:\ProgramData\WinSAPSvc\WinSAP.dll, Delete-on-Reboot, [3e7ccbf8faa01d19ba682f90da297090], 
PUP.Optional.Elex, C:\Program Files (x86)\WinArcher\Archer.dll, Delete-on-Reboot, [98223a890199ff37e83f6a55798a738d], 
Adware.Elex, C:\Program Files (x86)\Common Files\Services\iThemes.dll, Delete-on-Reboot, [febcf4cfe0ba46f0116ec21b5ea54eb2], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify\9.3.6494.400.manifest, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify\BrowserUpdate.exe, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 
PUP.Optional.Elex, C:\ProgramData\ChelfNotify\chrome_elf.dll, Quarantined, [8d2d9e25b0ea1f17d405536051b22ed2], 

Physical Sectors: 0
(No malicious items detected)

(end)

[jboursier]

Thanks!

It should be better now, can you confirm?

[Ender]

I just ran a new scan  with MBAM, nothing found.

Also ran a scan with AdwC, It found 7 issues, adding the log file. 

Just after it was done with the reboot i ran a new scan that produced no issues. (added log file for that scan as well.)

 

AdwCleaner[C10].txt

AdwCleaner[S16].txt

[jboursier]

Hello,

Nice.

If you don't have any more question, you can uninstall AdwCleaner with File > Uninstall.

Best regards,