Jump to content
Charlottevantricht

Malwarebytes blocks Svchost when opening Google Chrome

Recommended Posts

Hi,

I downloaded a mallicous file which installed several things on my computer in Russian language. There was a 'hijack' file, 'Chromium', 'Smart application controller' and some other malware which I luckily could remove (think so) with malwarebytes. Google Chrome in particular was kind of hacked and still has some issues while opening, like russian pop-ups coming on screen.

I think Malwarebytes has already removed the greatest part, but I still find some random russian files or links on my computer which weren't detected by Malware nor Bullguard (my antivirus). Also all my Word/Excel/Powerpoint files are converted to ENC-files. Is this some one-time problem or will it reoccur in the future?

The greatest issue opening Google Chrome is still the 'svchost.exe' which gets blocked by Malware. I think there is still some malware disguised in the 'svchost.exe' file. I read it would be then situated in the 'Temp' folder which isn't in my case, it's situated in the System32 folder. 

I hope you could help me solve this problem...

Thank you in advance

 

 

 

Knipsel.PNG

Share this post


Link to post
Share on other sites

Hi Charlottevantricht:)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt). You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Share this post


Link to post
Share on other sites

I strongly advise you to uninstall Popcorn-Time and Popcorn Time. The original project died a few years ago, and since then, only unofficial forks have been in existence, and most of them are malicious, riddled with ads, etc. The best thing to do is to stay away from any program claiming to be Popcorn Time.

Also, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Share this post


Link to post
Share on other sites
Fix resultaat van Farbar Recovery Scan Tool (x64) Versie: 12-08-2017
Gestart door Gebruiker (16-08-2017 10:47:31) Run:1
Gestart vanaf C:\Users\Gebruiker\Desktop
Geladen Profielen: Gebruiker (Beschikbare Profielen: Gebruiker)
Boot Modus: Normal
==============================================
fixlist inhoud:
*****************
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\Run: [setupsk_upd] => "C:\Users\GEBRUI~1\AppData\Roaming\SETUPS~1\python\pythonw.exe" "C:\Users\GEBRUI~1\AppData\Roaming\SETUPS~1\ml.py" --APPNAME="setupsk_upd" <==== AANDACHT
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\Run: [setupsk] => "C:\Users\GEBRUI~1\AppData\Roaming\setupsk\python\pythonw.exe" "C:\Users\GEBRUI~1\AppData\Roaming\setupsk\ml.py" --APPNAME="setupsk" <==== AANDACHT
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\Run: [ycAutoLaunch_C99D706015ACEA666F13C434030273C2] => "C:\Users\Gebruiker\AppData\Local\yc\Application\yc.exe" /prefetch:5
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\Run: [KometaLaunchPanel] => C:\Users\Gebruiker\AppData\Local\Kometa\Panel\KometaLaunchPanel.exe
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\Run: [StartButton] => C:\Users\Gebruiker\AppData\Local\Kometa\StartButton\kometastartvx64.exe
GroupPolicy: Restrictie <==== AANDACHT
GroupPolicy\User: Restrictie <==== AANDACHT
Task: {5B36FF61-3355-4F38-BCF2-C761B45DAFF4} - System32\Tasks\DLL-Files.Com Fixer_Updates => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: {5E812DE3-A144-40FE-BCAA-287A4B6CBF5E} - System32\Tasks\DLL-Files FixerASKUSER => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: {9CDBAB1B-0599-4397-919C-26D442AB3D54} - System32\Tasks\DLL-Files.Com Fixer_MONTHLY => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: {A0FAD93D-461E-407B-B44A-425574E4E26C} - System32\Tasks\RDReminder => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\WINDOWS\Tasks\DLL-Files FixerASKUSER.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\WINDOWS\Tasks\DLL-Files.Com Fixer_MONTHLY.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\WINDOWS\Tasks\DLL-Files.Com Fixer_Updates.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\StartupApproved\Run: => "KometaLaunchPanel"
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\StartupApproved\Run: => "StartButton"
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\...\StartupApproved\Run: => "ycAutoLaunch_C99D706015ACEA666F13C434030273C2"
FirewallRules: [{0B3669A5-04F1-45D7-94F3-D223159D7508}] => (Allow) C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
FirewallRules: [{E72F0AA3-9E63-4680-8378-D715843000D1}] => (Allow) C:\Users\Gebruiker\AppData\Local\yc\Application\yc.exe
C:\Program Files (x86)\Dll-Files.com Fixer
C:\Users\Gebruiker\AppData\Local\yc
C:\Users\Gebruiker\AppData\Local\Kometa
C:\Users\GEBRUI~1\AppData\Roaming\SETUPS~1
C:\Users\GEBRUI~1\AppData\Roaming\setupsk
EmptyTemp:
*****************
Proces succesvol afgesloten.
Herstelpunt is succesvol gemaakt.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Microsoft\Windows\CurrentVersion\Run\\setupsk_upd => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Microsoft\Windows\CurrentVersion\Run\\setupsk => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Microsoft\Windows\CurrentVersion\Run\\ycAutoLaunch_C99D706015ACEA666F13C434030273C2 => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Microsoft\Windows\CurrentVersion\Run\\KometaLaunchPanel => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Microsoft\Windows\CurrentVersion\Run\\StartButton => waarde is succesvol verwijderd
C:\WINDOWS\system32\GroupPolicy\Machine => is succesvol verplaatst
C:\WINDOWS\system32\GroupPolicy\GPT.ini => is succesvol verplaatst
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => is succesvol verplaatst
C:\WINDOWS\system32\GroupPolicy\User => is succesvol verplaatst
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5B36FF61-3355-4F38-BCF2-C761B45DAFF4} => sleutel is succesvol verwijderd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B36FF61-3355-4F38-BCF2-C761B45DAFF4} => sleutel is succesvol verwijderd
C:\WINDOWS\System32\Tasks\DLL-Files.Com Fixer_Updates => is succesvol verplaatst
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DLL-Files.Com Fixer_Updates => sleutel is succesvol verwijderd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5E812DE3-A144-40FE-BCAA-287A4B6CBF5E} => sleutel is succesvol verwijderd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5E812DE3-A144-40FE-BCAA-287A4B6CBF5E} => sleutel is succesvol verwijderd
C:\WINDOWS\System32\Tasks\DLL-Files FixerASKUSER => is succesvol verplaatst
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DLL-Files FixerASKUSER => sleutel is succesvol verwijderd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9CDBAB1B-0599-4397-919C-26D442AB3D54} => sleutel is succesvol verwijderd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9CDBAB1B-0599-4397-919C-26D442AB3D54} => sleutel is succesvol verwijderd
C:\WINDOWS\System32\Tasks\DLL-Files.Com Fixer_MONTHLY => is succesvol verplaatst
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DLL-Files.Com Fixer_MONTHLY => sleutel is succesvol verwijderd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A0FAD93D-461E-407B-B44A-425574E4E26C} => sleutel is succesvol verwijderd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A0FAD93D-461E-407B-B44A-425574E4E26C} => sleutel is succesvol verwijderd
C:\WINDOWS\System32\Tasks\RDReminder => is succesvol verplaatst
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RDReminder => sleutel is succesvol verwijderd
C:\WINDOWS\Tasks\DLL-Files FixerASKUSER.job => is succesvol verplaatst
C:\WINDOWS\Tasks\DLL-Files.Com Fixer_MONTHLY.job => is succesvol verplaatst
C:\WINDOWS\Tasks\DLL-Files.Com Fixer_Updates.job => is succesvol verplaatst
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\KometaLaunchPanel => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KometaLaunchPanel => waarde niet gevonden.
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\StartButton => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\StartButton => waarde niet gevonden.
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\ycAutoLaunch_C99D706015ACEA666F13C434030273C2 => waarde is succesvol verwijderd
HKU\S-1-5-21-404570740-1478191909-1450172760-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ycAutoLaunch_C99D706015ACEA666F13C434030273C2 => waarde niet gevonden.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0B3669A5-04F1-45D7-94F3-D223159D7508} => waarde is succesvol verwijderd
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E72F0AA3-9E63-4680-8378-D715843000D1} => waarde is succesvol verwijderd
"C:\Program Files (x86)\Dll-Files.com Fixer" => niet gevonden.
"C:\Users\Gebruiker\AppData\Local\yc" => niet gevonden.
"C:\Users\Gebruiker\AppData\Local\Kometa" => niet gevonden.
"C:\Users\GEBRUI~1\AppData\Roaming\SETUPS~1" => niet gevonden.
"C:\Users\GEBRUI~1\AppData\Roaming\setupsk" => niet gevonden.
=========== EmptyTemp: ==========
BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 40807602 B
Java, Flash, Steam htmlcache => 18777 B
Windows/system/drivers => 16781709 B
Edge => 281494623 B
Chrome => 400318643 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 29594 B
NetworkService => 14096 B
Gebruiker => 33603646 B
RecycleBin => 0 B
EmptyTemp: => 744.8 MB tijdelijke gegevens verwijderd.
================================

Het systeem moest herstart worden.
==== Eind van Fixlog 11:03:33 ====

Share this post


Link to post
Share on other sites

Good :) Now let's run a sweep with AdwCleaner and JRT.

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

iT103hr.pngJunkware Removal Tool (JRT)

  • Download Junkware Removal Tool (JRT) and move it to your Desktop
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Press on any key to launch the scan and let it complete
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply

Your next reply(ies) should therefore contain:

  • Copy/pasted AdwCleaner clean log
  • Copy/pasted JRT log

Share this post


Link to post
Share on other sites
# AdwCleaner 7.0.1.0 - Logfile created on Wed Aug 16 12:05:51 2017
# Updated on 2017/05/08 by Malwarebytes
# Running on Windows 10 Home (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support
***** [ Services ] *****
No malicious services deleted.
***** [ Folders ] *****
Deleted: C:\ProgramData\Mail.Ru
Deleted: C:\ProgramData\Application Data\Mail.Ru
Deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Mail.Ru
Deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Mail.Ru
Deleted: C:\Users\All Users\Mail.Ru
Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
Deleted: C:\ProgramData\Auslogics
Deleted: C:\ProgramData\Application Data\Auslogics
Deleted: C:\Program Files (x86)\Auslogics
Deleted: C:\Windows\SysNative\Tasks\Auslogics
Deleted: C:\Users\All Users\Auslogics
Deleted: C:\ProgramData\{C6FA530F-BB98-4D9F-BA00-45FD0698077C}

***** [ Files ] *****
Deleted: C:\Users\Gebruiker\Favorites\Mail.Ru.url
Deleted: C:\Users\Gebruiker\Favorites\Mail.Ru Агент - используй для общения!.url

***** [ DLL ] *****
No malicious DLLs cleaned.
***** [ WMI ] *****
No malicious WMI cleaned.
***** [ Shortcuts ] *****
No malicious shortcuts cleaned.
***** [ Tasks ] *****
No malicious tasks deleted.
***** [ Registry ] *****
Deleted: [Key] - HKLM\SOFTWARE\Mail.Ru
Deleted: [Key] - HKU\.DEFAULT\Software\Mail.Ru
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Mail.Ru
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\AppDataLow\Software\Mail.Ru
Deleted: [Key] - HKU\S-1-5-18\Software\Mail.Ru
Deleted: [Key] - HKCU\Software\Mail.Ru
Deleted: [Key] - HKCU\Software\AppDataLow\Software\Mail.Ru
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Xpom
Deleted: [Key] - HKCU\Software\Xpom
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\CLSID\{93469602-4134-4012-A6BC-D46FF1C671E9}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\TYPELIB\{F2C6F7D1-ED32-49E5-9919-00DB857103B2}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\INTERFACE\{6855F0CE-00B1-483F-8633-33B650EE4310}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\APPID\{93469602-4134-4012-A6BC-D46FF1C671E9}
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ask.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\azlyrics.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\chatango.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\chrome.nl.softonic.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d16fk4ms6rqz1v.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d16fk4ms6rqz1v.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d22j4fzzszoii2.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d22j4fzzszoii2.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d30ke5tqu2tkyx.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d30ke5tqu2tkyx.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dasnice.be
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\divxcrawler.tv
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\gamingwonderland.dl.tb.ask.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\land.pckeeper.software
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\nice.org.uk
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\pathways.nice.org.uk
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\pckeeper.software
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\safebrowsing.bullguard.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\st.chatango.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\st.chatango.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\winrar-64bit.nl.softonic.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.azlyrics.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.dasnice.be
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.divxcrawler.tv
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.nice.org.uk
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ask.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\azlyrics.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\chatango.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\chrome.nl.softonic.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d16fk4ms6rqz1v.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d16fk4ms6rqz1v.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d22j4fzzszoii2.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d22j4fzzszoii2.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d30ke5tqu2tkyx.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d30ke5tqu2tkyx.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dasnice.be
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\divxcrawler.tv
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\gamingwonderland.dl.tb.ask.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\land.pckeeper.software
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\nice.org.uk
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pathways.nice.org.uk
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pckeeper.software
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\safebrowsing.bullguard.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\st.chatango.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\st.chatango.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\winrar-64bit.nl.softonic.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.azlyrics.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.dasnice.be
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.divxcrawler.tv
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.nice.org.uk
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com
Deleted: [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{AF325768-7360-49D4-832F-C19B91616299}C:\users\gebruiker\appdata\local\popcorn time\nw.exe
Deleted: [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{2E9729FD-F45D-4DAE-9731-1599D39579E4}C:\users\gebruiker\appdata\local\popcorn time\nw.exe
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Microsoft\Gosearchq
Deleted: [Key] - HKCU\Software\Microsoft\Gosearchq
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Microsoft\Gosearch
Deleted: [Key] - HKCU\Software\Microsoft\Gosearch
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\APN PIP
Deleted: [Key] - HKCU\Software\APN PIP
Deleted: [Key] - HKLM\SOFTWARE\PIP
Deleted: [Key] - HKLM\SOFTWARE\mweshield
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{C81BED3B-31BD-491F-813D-78EFC2638CE1}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AE298D-7E8A-4F53-BE55-15D2B065F6C0}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{278029E0-2347-4254-A65E-204AC55E2508}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\flix123.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\flix123.com
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\MICROSOFT\KometaInstaller
Deleted: [Key] - HKCU\Software\MICROSOFT\KometaInstaller
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\NETBOX\Kometa
Deleted: [Key] - HKCU\Software\NETBOX\Kometa
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\ssn
Deleted: [Key] - HKCU\Software\ssn
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\setupsk
Deleted: [Key] - HKCU\Software\setupsk
Deleted: [Key] - HKU\S-1-5-21-404570740-1478191909-1450172760-1001\Software\Amigo
Deleted: [Key] - HKCU\Software\Amigo
Deleted: [Key] - HKLM\SOFTWARE\Auslogics

***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries deleted.
***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries deleted.
*************************
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
*************************
C:/AdwCleaner/AdwCleaner[S0].txt - [20015 B] - [2017/8/16 12:2:17]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

Share this post


Link to post
Share on other sites
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Home x64
Ran by Gebruiker (Administrator) on wo 16/08/2017 at 14:15:32,63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

File System: 1
Successfully deleted: C:\Users\Gebruiker\AppData\Roaming\dll-files.com (Folder)
 
Registry: 3
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C606FF28-DCF4-4A54-BBDD-3A0FD80F7828} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{C606FF28-DCF4-4A54-BBDD-3A0FD80F7828} (Registry Key)
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on wo 16/08/2017 at 14:20:29,69
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Share this post


Link to post
Share on other sites

Good :) Are you still getting the block notifications for svchost.exe now?

Share this post


Link to post
Share on other sites

Are these ads and block notifications occurring only in Google Chrome, or in other web browsers such as Microsoft Edge and Internet Explorer as well?

Share this post


Link to post
Share on other sites

Alright follow the instructions below.

1. Reset your Google Chrome sync data.

https://support.google.com/chrome/answer/6386691?hl=en

2. Log out from your profile in Google Chrome.

https://support.google.com/chrome/answer/2390059

3. Uninstall Google Chrome.

4. Reinstall Google Chrome.

Let me know if the ads and notifications regarding svchost.exe still appears afterwards.

Share this post


Link to post
Share on other sites

There seem to be no ads popping up, also no block anymore. Is it 'safe' again to save passwords on google chrome? Also my word/powerpoint/excel files were encrypted. Is there a way to fix this problem? They're all .ENC-files

Thank you for your help!

 

 

Share this post


Link to post
Share on other sites

Awesome :) I never thought that saving passwords in a web browser is a good idea, since they can be stolen by stealers. I recommend using a password manager instead. Personally, I use LastPass.

Also, can you upload one of the encrypted file to ID-Ransomware, and copy/paste the output here?

https://id-ransomware.malwarehunterteam.com/

Share this post


Link to post
Share on other sites

Alright. Do you have any ransom notes, or not?

Share this post


Link to post
Share on other sites

Well, we need to find if your files are hit with CryptoHasYou or TrueCrypter first. If you click on the link for TrueCrypter, where does it leads you?

Share this post


Link to post
Share on other sites

Let's see if the TrueCrypter folder exists first. Run the following FRST fix and attach the fixlog.txt here after.

fixlist.txt

Share this post


Link to post
Share on other sites

The folder doesn't exist. So you're most likely hit with CryptoHasYou. Just to be sure, can you copy/paste the full name of an encrypted file, with the extension appended?

Share this post


Link to post
Share on other sites

I'll talk to one of my colleague who specialises in Ransomware about this and get back to you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.