Jump to content

Constant pop-up windows due to easydevlin.xyz


Recommended Posts

Hi, for a few days now, I've had constant pop-ups from Malwarebytes blocking the domain eazydevlin.xyz, ip address 172.64.141.2. It wants to send out of the port 59277 outbound from my chrome.exe file. I don't know what caused it, but I can't get rid of it. At least Malwarebytes is catching it. I searched the Internet and this forum. I didn't find much on the Internet. I found one site on the Internet taht tells a story of how this virus gets into your computer all over the place, but it hasn't done so on my computer thanks to your program. This must be relatively new. I saw two others that had this issue in this forum, but their causes and solutions didn't seem to apply to me. Anyway, I know the files you want first from the frst64.exe program, which I ran as an administrator, so I have attached them here for you. Appreciate any help. Oh, and I am a paid subscriber. Dawn Lynn

Addition.txt

FRST.txt

Edited by DawnLynn
Typo and one bit of additional information.
Link to post
Share on other sites

Hi DawnLynn :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Do you get the block notifications even when you're not using Google Chrome, or only when you're using it?

Link to post
Share on other sites

Hi Yoan,

Thanks for your help. I just get the block notifications when I am using Google Chrome to answer your question. I also have another tiny issue that maybe others are having? Once I am logged out of the system, I can't log back in, it doesn't like my display name. I have to reset my password every time. So that's what I have been doing. But if you know of this being a more widespread issue with a resolution, please let me know. Otherwise I'll keep resetting my password each time. Thanks a bunch! I'll be around for another couple hours then it's bedtime for me. 

Dawn

Link to post
Share on other sites

Can you take a picture of how it looks like when you log out of your system and can't log back in? So I can see exactly what issue you're facing.

As for the Google Chrome one, I suspect that you have a malicious extension installed.

LdH4gmf.pngGoogle Chrome - Remove Extension/App

  • In Google Chrome, enter chrome://extensions in the address bar and press on Enter
  • In the Extensions page, uninstall these (by clicking on the little garbage can icon on their right)
    • Honey
    • Watchlist - Wikipedia
  • If you don't see the extension listed, it means that it's installed as an App. So enter chrome://apps in the address bar and press on Enter
  • From the Apps page, look for the app, right-click on it and select Remove from Chrome

Link to post
Share on other sites

Hi Yoan,

I've attached the screenprint regarding the login issue. I removed Honey once from Extensions. It added itself back, so I removed it again. It seems to be staying uninstalled this time. The Watchlist - Wkipedia was not in Extension. But I did find it was in Apps, although I don't recall adding it there. I deleted it. The popup is still there, so I guess we'll have to try something else?

Also this morning my MalwareBytes web protection piece was disabled by something. I had to close the browser and restart Malwarebytes to get it renabled. Never something you want to see of course. 

Thanks very much for your help. Oh, maybe I need to reboot or clean out my cache, etc.?

Dawn

signinscreen.jpg

Link to post
Share on other sites

OH! You're having an issue when logging in to your Malwarebytes Forums account, I thought you meant Windows. Well, the error message states that the display name you entered doesn't exist. Try with DawnLynn instead, it should work.

From Chrome, can you also follow the instructions in this thread? Make sure to remove every websites listed under "Other search engines" as well.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

 

Link to post
Share on other sites

Okay, I had to do everything in that link (removing all search engines and start up links, etc.), but I think the pop-up is gone now. I'll continue to monitor today. 

Regarding the login to this forum, it recognizes DawnLynn as the displayname but did not like the password the first time. I had to recover the password to use that displayname the first time. Now, I don't know yet if it will work with that password the next time or not. I will let you know. But I am attaching the screenshot since I had it there and took one. To be noted, when I have to recover the password, I have to enter my email, so that password is being generated for that email regardless of the displayname, just so we are on the same page. The next time I go to sign on, I'll let you know what happens. Thanks a bunch for the other help...I think it helped.. Will be in touch again today.

Dawn

 

signinscreen2.jpg

Link to post
Share on other sites

Hi Yoan,

Ok, good news on the login front. I was able to login again without any problems. Yay! Two logins in a row with the display name DawnLynn and the same password. So thank you much for that. I these login credentials in my LastPass account so should not run into this problem again.

The problem messages I'm getting had seemed to go away for a few hours. But now it just came back again. Some site that I visit frequently must be infecting my computer. The sites I have visited since the cleanup are Goggle, Yahoo Mail, Facebook, Twitter and Wikipedia. But I have had issues before from the sponsored ads inside Yahoo Mail in the past. But now there are sponsored ads in all of the sites except Wikipedia. Oh, and YouTube right before we had a power surge and my computer lost power. It was only after my computer shut down and I had to restart it that the messages came back again. This one might be tricky to resolve. It's really annoying though, the messages are so constant, that I had to move my browser from where I like to use it over to the left so the message are not constantly coming up on top of it. It seems to me this is a newer malware that is just being discovered. Let me know what I can try next, if anything. Thanks a bunch!

Dawn

Link to post
Share on other sites

Alright let's do a sweep with AdwCleaner and RogueKiller.

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean & Repair button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

Your next reply(ies) should therefore contain:

  • Copy/pasted AdwCleaner clean log
  • Copy/pasted RogueKiller clean log

Link to post
Share on other sites

Alright, I was still getting the unwanted popups this morning even after cleaning everything out. I have been running the AdwCleaner all along since it's a product from Malwarebytes. Today, it found the same two PUP files it usually finds. I hadn't been running it as an administrator in prior instances but I did today. So, here are the copied log files from both products, Adwcleaner and RogueKiller. Regarding RogueKiller, it marked an extension of my 360 Total Security, so I did not remove that. It also marked a suspicious path to my Roboform program on my Flash drive, so I did not remove that either. The rest, however, I let it clean up. However, I will note that the Chrome Addon to the JSONView with the long string was actually a defunct Chrome extension and probably not the issue; I just let the program clean it up for me. There were some other detections, though, that seem like true detections.

I wonder why you want copy/pasted files rather than attachments?

Here's AdwCleaner:

# -------------------------------
# Malwarebytes AdwCleaner 7.2.2.0
# -------------------------------
# Build:    07-17-2018
# Database: 2018-07-19.5
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    07-25-2018
# Duration: 00:00:03
# OS:       Windows 10 Pro
# Cleaned:  2
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Deleted       Ask
Deleted       AOL

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1301 octets] - [18/07/2018 16:10:17]
AdwCleaner[C00].txt - [1429 octets] - [18/07/2018 16:10:35]
AdwCleaner[S01].txt - [1363 octets] - [20/07/2018 21:44:49]
AdwCleaner[C01].txt - [1549 octets] - [20/07/2018 21:45:07]
AdwCleaner[S02].txt - [1524 octets] - [24/07/2018 11:51:02]
AdwCleaner[C02].txt - [1672 octets] - [24/07/2018 11:51:20]
AdwCleaner[S03].txt - [1646 octets] - [25/07/2018 11:04:06]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C03].txt ##########
 

RogueKiller file

RogueKiller V12.12.28.0 (x64) [Jul 23 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : DawnLynn [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 07/25/2018 10:21:22 (Duration : 00:37:56)

¤¤¤ Processes : 1 ¤¤¤
[Test.EICAR] QHActiveDefense.exe(2432) -- C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[7] -> Found

¤¤¤ Registry : 2 ¤¤¤
[PUP.HackTool|VT.Detected] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_G_C8B4\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9A45CDA9-6A69-402E-9C9A-63193619D0BA} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=1688|App=C:\Windows\KMS-R@1n.exe|Name=KMS-R@1n| [x] -> Deleted
[PUP.HackTool|VT.Detected] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_G_C8B4\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2409AE72-E06F-4498-BD31-0995DBF90A14} : v2.27|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|LPort=1688|App=C:\Windows\KMS-R@1n.exe|Name=KMS-R@1n| [x] -> Deleted

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \Run RoboForm TaskBar Icon -- C:\Users\DawnLynn\AppData\Local\Temp\RoboTaskBarIcon.exe -> Not selected

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : JSONView [chklaanhfefbnpoihckbnefhakgolnmc] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-00BN5A0 ATA Device +++++
--- User ---
[MBR] 1e31aec97b0dbf1ba4396447bc133734
[BSP] 20b31c0812e64b2583c1d42929dc8d70 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 549 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1126400 | Size: 44451 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 919488449 | Size: 504896 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD3200AAKS-61L9A0 ATA Device +++++
--- User ---
[MBR] 9f8b6b370b680d237a1749092bcc18a5
[BSP] da2cee23cb90c3015905830b2342b32b : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 549 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1126400 | Size: 59450 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

 

Link to post
Share on other sites

I'll report the FP from RogueKiller to its developer :)

Also, you can attach the logs, I don't mind. It's just easier in a way where I don't have to download anything, and I can access the logs simply by opening the thread. Can you also review your Google Chrome extensions, and uninstall the ones you don't use/need anymore?

Link to post
Share on other sites

No, I don't mind copying and pasting the logs then if that is the case. It's fine. I haven't had the problem since I used RogueKiller. What's the FP? Did you see the problem with RogueKiller? I did check my extensions, but I will look again. I don't use many and I don't keep any around I don't use usually. I mean, those Google and Chrome ones I don't pay attention to as they are installed as part of the browser and using Goggle search... are you saying I should remove those? I have four extensions for Pinterest and I use that site all the time. And one for LastPass which is my password protector. And one for 360 Total Security. And ExportHistory lets me export my browser history into other formats. And I need Adobe Acrobat. Not sure if I need JSONView. And uBlockOrigin from you asking me to use it. The rest are like I said, from the browser and search...just let me know. Thanks!

Dawn

Link to post
Share on other sites

FP is False Positive. Basically, a detection for something that is legitimate, such as the 360 Total Security process. The detection for RoboForm is "legitimate", in a way that tasks shouldn't run files from the Temp folder, as a lot of malware do that, and the content of that folder is really dynamic. It isn't a good practice. Not sure if this can be adjusted.

According to your FRST logs, these are the Google Chrome extensions you have installed.

CHR Extension: (Slides) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-03-15]
CHR Extension: (Docs) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-03-15]
CHR Extension: (Google Drive) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-03-15]
CHR Extension: (YouTube) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-03-15]
CHR Extension: (JSONView) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\chklaanhfefbnpoihckbnefhakgolnmc [2018-03-17]
CHR Extension: (Adobe Acrobat) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2018-03-19]
CHR Extension: (Pinterest Enhanced) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\egpachgbfnbpkceigfpcpicekmiehame [2018-03-17]
CHR Extension: (Button for Pinterest™) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbfjhllmkehmdajjlkolhdjjlfcmmlpl [2018-03-17]
CHR Extension: (Sheets) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-03-15]
CHR Extension: (Google Docs Offline) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-03-16]
CHR Extension: (360 Internet Protection) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\glcimepnljoholdmjchkloafkggfoijh [2018-03-22]
CHR Extension: (Pinterest Save Button) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2018-07-03]
CHR Extension: (Export History) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcohnnbbiggngobheobhdipbgmcbelhh [2018-04-16]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2018-07-17]
CHR Extension: (Speed Dial 2 New tab) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpfpebmajhhopeonhlcgidhclcccjcik [2018-04-24]
CHR Extension: (Save Button for Pinterest) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\keckjhpnlkboakghjefkmljidppfdcpo [2018-07-12]
CHR Extension: (Pinterest Sort) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\kplolodplccfcgohfnpionjfikcjfhph [2018-03-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-03]
CHR Extension: (Gmail) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-03-15]
CHR Extension: (Chrome Media Router) - C:\Users\DawnLynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-06-06]

It matches what you told me, except for maybe Speed Dial 2 New tab, since you didn't mention it.

So there are no more pop-ups now?

Link to post
Share on other sites

Hi Yoan,

Okay, the Speed Dial 2 extension does not show up in my Extensions view. I even typed it into the Search box, but no dice. Perhaps it is hidden. Do you know how I can find it? I did remove it, it all, I thought.

On the Roboform extension, you are right, it will meet with resistance to any change because that version, version 7, has been deprecated. Version 8 and higher are the versions that are current versions that are sold. Due to the way browsers work now, the Roboform people decided to discontinue the Roboform To Go application and any use of flash drives in the future. It's all web based versions from version 8 on. However, they do support version 7 for backward compatibility for now. I'm not sure how long this will continue. I'm transferring my passwords to LastPass. But I have a lot and it is taking some time. It's LastPass Free for me now, instead of paying for RoboForm 8. 

Lastly, yes this morning so far, I have not had the popup message from Malwarebytes. I can really pinpoint it to running RogueKiller I believe. 

Thanks, Dawn

Link to post
Share on other sites

I personally use LastPass Free and I like it. It suits my needs. Though I'm an ex-LastPass Premium user, so since I already had my LastPass sync'd across multiple devices, once I reverted back to the Free version, they didn't remove my ability to use LastPass anywhere.

In that case, let's try something. Let's check back in 72h, and see if during that time, you got any notifications from Malwarebytes. If you didn't, then we can consider that issue solved and close this thread. What do you say? :) 

Link to post
Share on other sites

Yoan,

I think that the speed 2 dial extension is gone, I have used the Chrome Apps & Extensions Developer Tool to look for it, and there are no signs of it. Thanks for the recommendation on LastPass.

Still no nasty pop-up messages from eazydevlin. I say yes your proposal sounds good, 72 hours without any messages and we call it and close the thread sounds good to me. I use my computer a lot, btw.

Thanks!

Dawn

Link to post
Share on other sites

Hi Yoan,

It would appear that the block notifications have disappeared for good. I am still not getting any as of today. We do not know what caused them, unfortunately, or at least I do not. But the important is stopping them. Thanks for your help. I could not have done this without it. I expect you will close this thread now so happy weekend!

Dawn

Link to post
Share on other sites

No problem Dawn, you're welcome. Glad to see that we managed to solve the issue, somehow :P

 

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.

  • Download DelFix and move the executable to your Desktop
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Check the following options :
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Once all the options mentionned above are checked, click on Run
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply

Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.

Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits (and also 0-days) which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, Google Chrome, Mozilla Firefox, VLC Media Player, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eF2jhaz.pngUCheck, SUMo and y5YE7At.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Anti-Virus

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

Anti-Malware, Anti-Exploit and Anti-Ransomware

Having a decent security setup (which also includes an Antivirus) is the most crucial step to protect a system. These programs are additional layers of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Fortunately, the new Malwarebytes 3 bundle all these layers in one, easy to use and efficient product. Malwarebytes 3 offers Malware, Web, Exploit and Ransomware protection modules that works together in order to keep your system protected and stop an infection at multiple level.

  • j1Bynr2.pngMalwarebytes - Comes with a free trial of the Premium version for 14 days, after which it reverts back to the Free version

Note: Please note that only the Premium version of Malwarebytes 3 offers real-time protection (Malware, Web, Exploit and Ransomware). The free version only allows you to scan your system for threats and remove them.

Firewall

Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.

  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages)
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it

Web Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits. 

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.

  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and most Chromium and Firefox-based browsers)
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera)
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers)
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers)
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera)
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser)

As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:


As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :


gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.