nasdaq Posted June 23, 2018 ID:1252131 Share Posted June 23, 2018 Hi, I took the time to look at all the items in the Shortcut log. No malicious sites were found. Your last stream from mcafeesecurity.application-center.me is SPAM. http://mcafeesecurity.application-center.me/4/?utm_source=dhara1&utm_pubid=d4908ba5-c683-48e4-9324-4a755d8a986c&x-context=wBFHLMDILJIDFDQE1JC7API0&xm=lm.vxilehikc0dxq.stream You may be able to remove streams using the UnHackMe free program for this site.https://greatis.com/blog/how-to/remove-mcafeesecurity-exe-completely.htm Follow the instructions on the page. --- This topic will give you additional information to look for.http://www.myantispyware.com/2018/05/27/how-to-remove-stream-frenzy-chrome-firefox-ie-edge/ Before you uninstall an application and you want more information before proceeding please ask. Resetting the Browsers affected may be an option. === Also suggested on this page is the Zemana Anti-Malware which is recommended. Please download Zemana Antimalware (Freeware) and save it to your computer's Desktop. Right-click on the icon and select Run as administrator to install the program. Click Yes to accept the UAC security warning that may appear. Select the language and click the OK button. Click the Next button, accept the EULA warning and follow the instructions to continue and install the program. Once the installation is complete it will start automatically. Wait a few seconds until the update of signature database is complete. Without changing any options, click Scan to begin. After the short scan is finished, if threats are detected click Next to remove them.Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Click on the Back button. On the top right corner click on Reports icon (the one with three bars) and double click on the latest report. Now click File > Save As, then select your computer's Desktop and click the Save button. Please attach the saved report in your next reply. Please let me know how if the problem persists. Link to post Share on other sites More sharing options...
Ditch67 Posted June 23, 2018 Author ID:1252187 Share Posted June 23, 2018 (edited) 'Unhack me' pointed to 2 other antimalware programs... not very helpful. Two other hits looked questionable. I chose to ignore its removal hints, so there's no log. Zemana found one thing which I allowed to have quarantined. (text attached) "Hosts file - 0.0.0.0 - ft.com" That site appears to be the legitimate Financial Times... Not sure why that would be there, but I've never seen it as a pop-up. And I doubt it leads me to fake Mcafee sites, etc. Odd. 2018.06.23-16.01.41-i0-t92-d1.txt Edited June 23, 2018 by Ditch67 Link to post Share on other sites More sharing options...
Ditch67 Posted June 23, 2018 Author ID:1252189 Share Posted June 23, 2018 Here's Unhackme. Just came up with 12 'unknown'. Link to post Share on other sites More sharing options...
Ditch67 Posted June 23, 2018 Author ID:1252190 Share Posted June 23, 2018 (edited) Also, this is todays hijack attempt log: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 6/23/18 Protection Event Time: 2:52 PM Log File: 8a32107a-7716-11e8-aa07-509a4cc94828.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5599 License: Premium -System Information- OS: Windows 10 (Build 17134.112) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: Hijack Domain: westerndigitalmeasure.com IP Address: 192.241.254.144 Port: [53317] Type: Outbound File: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (end) hijack.txt Edited June 23, 2018 by Ditch67 Link to post Share on other sites More sharing options...
nasdaq Posted June 24, 2018 ID:1252311 Share Posted June 24, 2018 Hi, Lets clean the Powershell. Navigate to this page and folllow the instructions in post No. 2 by Microsoft Agent Moderatorhttps://answers.microsoft.com/en-us/edge/forum/edge_other-edge_win10/microsoftedgecpexe/9effffbf-171f-46fb-9982-62f9a15c954b Where it says Type this command: I think you can copy the txt in bold and paste it instead of haveing to Type it. RESTART the computer normally. Let me know if all when well. Link to post Share on other sites More sharing options...
Ditch67 Posted June 25, 2018 Author ID:1252392 Share Posted June 25, 2018 Command was accepted. Rebooted. Side note, I haven't seen/reported as many errors over the last week as Words With Friends was broken for web-users (it still is, but the progs gave me a work-around link yesterday). Link to post Share on other sites More sharing options...
nasdaq Posted June 25, 2018 ID:1252498 Share Posted June 25, 2018 Is the problem solved? Link to post Share on other sites More sharing options...
Ditch67 Posted June 26, 2018 Author ID:1252829 Share Posted June 26, 2018 Playing Words With Friends still goes up to 100% CPU and then either quickly crashes and reloads, or is taken over by virus. This one just now on Edge. (Am I the only one with this malware? I'd hoped MWB heuristics would've reported the pattern, or enough people would get it that it'd be a priority fix.) WWF.txt Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 6/26/18 Protection Event Time: 4:49 PM Log File: 62273998-7982-11e8-91cb-509a4cc94828.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5641 License: Premium -System Information- OS: Windows 10 (Build 17134.112) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: Fraud Domain: ocsp.comodoca4.com IP Address: 40.136.60.65 Port: [49204] Type: Outbound File: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe (end) Link to post Share on other sites More sharing options...
nasdaq Posted June 27, 2018 ID:1252972 Share Posted June 27, 2018 Hi, 2 things can caused this. No. 1 Edge > Syncing issues. https://www.tenforums.com/tutorials/36286-turn-off-sync-favorites-reading-list-microsoft-edge.html === No. 2 Or you have A bad Extension in Edge. Open Edge and if you find an Extension you did not install delete it. From those that you did install disable the last two or tree extensions you install just before this ordeal started. Keep me posted. p.s. I check this error on many topics and these fixes worked on all them. Link to post Share on other sites More sharing options...
Ditch67 Posted June 27, 2018 Author ID:1253099 Share Posted June 27, 2018 1) I don't own any other devices at all, and we turned off and cleared Sync awhile back. Sync was in Off position. I ran the tenforum's regedit to be sure to shut off Reading Lists and Favorites. I did not use their Option 2: "To Turn On or Off Sync Content in Microsoft Edge using a REG file" portion. Not familiar with that, and the other two things I mentioned should've covered that. 2) No extensions are listed. It only offers suggestions on what to add. I've never added any to Edge. (I don't much trust extensions to begin with.) The one thing that never quite worked right was in resetting Edge... I recall one webpage you gave me saying to paste the instructions (powershell as admin) while still in Safe Mode, but I always got an error on that, and had to run the instructions after reboot to normal mode. Are you able to run the code while in Safe Mode? https://www.thewindowsclub.com/reset-microsoft-edge-browser-to-default-settings-in-windows-10 Link to post Share on other sites More sharing options...
nasdaq Posted June 28, 2018 ID:1253271 Share Posted June 28, 2018 Hi, Please start the computer in Normal Mode in an Administrator account. Run these instructions one more time in Normal Mode.https://www.thewindowsclub.com/reset-microsoft-edge-browser-to-default-settings-in-windows-10 When completed restart the computer normally to reset the registry. Keep me posted. Link to post Share on other sites More sharing options...
nasdaq Posted June 28, 2018 ID:1253324 Share Posted June 28, 2018 Hi, The IP shown belongs to Digital Ocean Check it out.https://www.ip-tracker.org/locator/ip-lookup.php?ip=192.241.254.144 If this is not your provider let me know. The port No. 56744 is used. This may be probelmatic. Is it needed? Check with your provider. === You can remove that port by Opening Internet Explorer. On the Menu bar select Tools > Internet Options > Connections tab > Lan Settings Remove the check mark on the Proxy server. Delete the 56744 portNo. Click the Apply button Restart the computer normally to reset the registry. How is it now? Link to post Share on other sites More sharing options...
nasdaq Posted June 29, 2018 ID:1253466 Share Posted June 29, 2018 Hi, Lets see what we can find in the Registry. Farbar Recovery Scan Tool (FRST) - Registry Search Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply. Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds; In the Search text area, copy and paste the following: 192.241.254.144 Once done, click on the Search Registry button and wait for FRST to finish the search; On completion, a log will open in Notepad. Copy and paste its content in your next reply; Link to post Share on other sites More sharing options...
nasdaq Posted July 1, 2018 ID:1253907 Share Posted July 1, 2018 Hi, Is the Port No. 56744 set in Internet Explorer? See my Post No. 88 Link to post Share on other sites More sharing options...
Ditch67 Posted July 1, 2018 Author ID:1253983 Share Posted July 1, 2018 Got the Fake McAfee Warning a few minutes after reset and reboot. Was on the Weather Channel site, so... not likely their fault. Link to post Share on other sites More sharing options...
Ditch67 Posted July 1, 2018 Author ID:1254004 Share Posted July 1, 2018 (edited) Okay. For fun I tried using Firefox. (It had run even slower when I tested it so I'd only been using Edge.) Got same fake McAfee attempt as on Edge, but Firefox itself stopped it. Was playing Words With Friends on Facebook. Edited July 1, 2018 by Ditch67 Link to post Share on other sites More sharing options...
Ditch67 Posted July 1, 2018 Author ID:1254005 Share Posted July 1, 2018 "Poisoned Ads"... This what we're getting? http://www.archersecuritygroup.com/did-you-see-a-poisoned-ad-on-tmz-or-other-big-sites/ Link to post Share on other sites More sharing options...
Ditch67 Posted July 2, 2018 Author ID:1254032 Share Posted July 2, 2018 This article https://www.theregister.co.uk/2015/08/27/malvertising_feature/ contains a graphic of it from Malwarebytes.org. Link to post Share on other sites More sharing options...
nasdaq Posted July 3, 2018 ID:1254376 Share Posted July 3, 2018 Ditch67 I asked one of the Administrator to look at this topic. Link to post Share on other sites More sharing options...
Ditch67 Posted July 3, 2018 Author ID:1254408 Share Posted July 3, 2018 (edited) I reinstalled Chrome, and then installed Ad Block on both that and Edge. CPU use went from 100% down to 2% with Edge and as low as 0.2% with Chrome. It blocks 8 ads on Words With Friends (Facebook). So far haven't had any pop-ups or hijack attempts. It may happen, but at the least I can play the bloody game! Wish I'd known about this a year ago. Prolly wouldn't have sold my old computer. Thanks, Jonny Q for the suggestion. PS It's INSANE that Facebook still allows malvertising, given its billions $$$. Too bad Senator McCain never passed a law covering it, years ago. Edited July 3, 2018 by Ditch67 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 5, 2018 Root Admin ID:1254963 Share Posted July 5, 2018 Hello @Ditch67 Just following up to make sure that your issue is now resolved or not. If so, then I'll go ahead and close your topic so that other stop posting here. If you do need further assistance though please let us know specifically what issue you're still having. Thank you Link to post Share on other sites More sharing options...
Ditch67 Posted July 6, 2018 Author ID:1255071 Share Posted July 6, 2018 Please close the topic. Thank you and the people who helped. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 6, 2018 Root Admin ID:1255079 Share Posted July 6, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts