joshkmartinez Posted May 17, 2017 Author ID:1125641 Share Posted May 17, 2017 Here are the new log files. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Aura Posted May 17, 2017 ID:1125830 Share Posted May 17, 2017 Are you actively using a Rainmeter theme? Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125903 Share Posted May 17, 2017 Yep, why? Link to post Share on other sites More sharing options...
Aura Posted May 17, 2017 ID:1125958 Share Posted May 17, 2017 Alright, disable your active Rainmeter theme, and run the following FRST fix. Farbar Recovery Scan Tool (FRST) - Fix mode Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter; Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S); CloseProcesses: HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\...\Winlogon: [Shell] C:\windows\explorer.exe [4674360 2017-04-27] (Microsoft Corporation) <==== ATTENTION Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Click on the Fix button; On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Copy and paste its content in your next reply; Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125968 Share Posted May 17, 2017 Here is the fix log (it dint open upon the reboot but i found it): Fix result of Farbar Recovery Scan Tool (x64) Version: 14-05-2017 Ran by ckurl (17-05-2017 15:29:23) Run:2 Running from F:\iAmInfected\FRST64 Loaded Profiles: ckurl (Available Profiles: ckurl) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\...\Winlogon: [Shell] C:\windows\explorer.exe [4674360 2017-04-27] (Microsoft Corporation) <==== ATTENTION ***************** Processes closed successfully. HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully The system needed a reboot. ==== End of Fixlog 15:29:24 ==== UPON REBOOT MY LOCK SCREEN WALLPAPER CHANGED TO THE DEFAULT WINDOWS ONE Link to post Share on other sites More sharing options...
Aura Posted May 17, 2017 ID:1125969 Share Posted May 17, 2017 This is normal. Basically we removed the patched explorer.exe (most likely patched by Rainmeter). I want to see if you still get ads after this, so do not re-enable Rainmeter for now. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125970 Share Posted May 17, 2017 it opened at start up just now so should i disable it for now? Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125971 Share Posted May 17, 2017 Even when I installed rainmeter when I just got my PC I never got ads. Link to post Share on other sites More sharing options...
Aura Posted May 17, 2017 ID:1125972 Share Posted May 17, 2017 4 minutes ago, joshkmartinez said: Even when I installed rainmeter when I just got my PC I never got ads. Alright, that I didn't know. In case I didn't ask (yet), when did the ads start? Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125973 Share Posted May 17, 2017 To be completely honest I don't really remember. It was about a week before I started this forum. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125980 Share Posted May 17, 2017 What now? Link to post Share on other sites More sharing options...
Aura Posted May 17, 2017 ID:1125981 Share Posted May 17, 2017 Well, I have an idea, but it would require a cloud storage service to work. Do you have a Google Drive, OneDrive or Dropbox account? Even Mega works. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125982 Share Posted May 17, 2017 Is it ok to re-enable rainmeter at start-up? Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125984 Share Posted May 17, 2017 Yep, I have google drive. But what do you have in mind...... Link to post Share on other sites More sharing options...
Aura Posted May 17, 2017 ID:1125985 Share Posted May 17, 2017 Yes, you can re-enable it. Basically we'll take a trace of your system using ProcMon, which monitors everything going on the system. We'll wait for an ad to pop-up (like we did with ProcExp), and from there you'll send me the trace and I'll analyze it. It should allow me to identify what launched that ad. However, every programs needs to be closed while the trace is running, and the file it creates can end up being a few GBs, hence the need to transfer it via a cloud sharing service. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 17, 2017 Author ID:1125988 Share Posted May 17, 2017 (edited) Ok, I thought you wanted me to like upload my whole computer to google drive then do a system restore, or something like that. What would you like me to do first? Edited May 17, 2017 by joshkmartinez Link to post Share on other sites More sharing options...
Aura Posted May 18, 2017 ID:1126390 Share Posted May 18, 2017 Sorry for the delay. Download and extract ProcessMonitor.zip on your system, then launch procmon.exe https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx Once done, it'll start monitoring your system automatically. Wait for a pop-up to occur. Once it appears, click on the little magnifying glass in the top left corner to stop the capture. After that, click on the File menu, followed by Save and save the file somewhere easily accessible (like your desktop). Once done, upload that file to Google Drive, and give me a public download URL for it (you can PM me it if you want). Link to post Share on other sites More sharing options...
joshkmartinez Posted May 18, 2017 Author ID:1126402 Share Posted May 18, 2017 Can I be working on my PC when the ad comes up? Link to post Share on other sites More sharing options...
Aura Posted May 18, 2017 ID:1126412 Share Posted May 18, 2017 If possible, try not to open Google Chrome. Otherwise, you can. If you see that the log end up being way too big, then restart the experiment without using your computer. I'm sorry, it's a bothersome step, but in your case, I think it is necessary to get more information. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 19, 2017 Author ID:1126447 Share Posted May 19, 2017 https://drive.google.com/open?id=0B6pqYgBKj7SoV1ViOU1KZ2gtNGs Link to post Share on other sites More sharing options...
Aura Posted May 19, 2017 ID:1126448 Share Posted May 19, 2017 I should have asked this before but do you remember that domain or website that was displayed in the ad? Link to post Share on other sites More sharing options...
joshkmartinez Posted May 19, 2017 Author ID:1126455 Share Posted May 19, 2017 Yep, it's softwaredownloadplayer.com. Link to post Share on other sites More sharing options...
Aura Posted May 19, 2017 ID:1128033 Share Posted May 19, 2017 Please uninstall Hotspot Shield (and uninstall the Hotspot Shield VPN Proxy - Unblock Sites Chrome extension as well), and uninstall the Unlimited Free VPN Chrome extension. HotspotShield produces ads. https://support.hotspotshield.com/hc/en-us/articles/202438954-Why-do-I-see-extra-ads-when-browsing-with-Hotspot-Shield- Unlimited Free VPN has been reviewed as an adware on the Chrome Web Store. https://chrome.google.com/webstore/detail/uniimitеd-frее-vрn/bkghdibcmhbcaogjpdjonpcddpcnjelj/reviews?hl=en-US Also, please do not install any other program, extension, etc. during the clean-up. These programs and extensions were installed after you started your thread. If you do that, it's harder for me to keep track of what's going on your system. Once done, run the following FRST fix. Farbar Recovery Scan Tool (FRST) - Fix mode Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located); Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Click on the Fix button; On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Copy and paste its content in your next reply; fixlist.txt Link to post Share on other sites More sharing options...
joshkmartinez Posted May 20, 2017 Author ID:1128289 Share Posted May 20, 2017 Fix result of Farbar Recovery Scan Tool (x64) Version: 14-05-2017 Ran by ckurl (19-05-2017 16:46:54) Run:3 Running from C:\Users\ckurl\Desktop\FRST Loaded Profiles: ckurl (Available Profiles: ckurl) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\...\StartupApproved\Run: => "KeepVidMusicService" S3 KvAppService; C:\Program Files (x86)\Keepvid\KAF\2.4.2.222\KvAppService.exe [474824 2017-03-10] (Keepvid) C:\Program Files (x86)\Keepvid C:\Users\ckurl\AppData\Local\LLSSOFT.del C:\Users\ckurl\AppData\Local\NTUSERLITELIST.del C:\Users\ckurl\AppData\Local\GVPGIOZPG.del EmptyTemp: ***************** Processes closed successfully. HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\KeepVidMusicService => value removed successfully HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KeepVidMusicService => value not found. HKLM\System\CurrentControlSet\Services\KvAppService => key removed successfully KvAppService => service removed successfully C:\Program Files (x86)\Keepvid => moved successfully C:\Users\ckurl\AppData\Local\LLSSOFT.del => moved successfully C:\Users\ckurl\AppData\Local\NTUSERLITELIST.del => moved successfully C:\Users\ckurl\AppData\Local\GVPGIOZPG.del => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 79496848 B Java, Flash, Steam htmlcache => 138240 B Windows/system/drivers => 1675838 B Edge => 1685 B Chrome => 55633133 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 128 B systemprofile32 => 128 B LocalService => 22962 B NetworkService => 0 B ckurl => 4283055 B RecycleBin => 20127739722 B EmptyTemp: => 18.9 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 16:47:02 ==== Link to post Share on other sites More sharing options...
Aura Posted May 20, 2017 ID:1128392 Share Posted May 20, 2017 Did you uninstall Hotspot Shield and the two extensions like instructed? Link to post Share on other sites More sharing options...
Recommended Posts