Jump to content

Deloton.com


Recommended Posts

Hello mr_usa666 and welcome to Malwarebytes,

Continue with the following:

Turn on System Restore - https://www.thewindowsclub.com/system-restore-disabled-turn-on-system-restore-windows

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in reply, also tell me if there are any remain issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

On 7/29/2018 at 4:44 AM, kevinf80 said:
Hello mr_usa666 and welcome to Malwarebytes,

Continue with the following:

Turn on System Restore - https://www.thewindowsclub.com/system-restore-disabled-turn-on-system-restore-windows

 

Thanks for the reply kevin but I'll to get back to you on the whole process 'cause I'm stuck with not being able to enable/re-enable system restore. I'm waiting for someone in the Microsoft Community to help me.

P.S.: I've tried the different method suggested on the linked site but to no avail. All 3 items mentionned for the services.msc are now running & automatic. Thanks for your patience.

Link to post
Share on other sites

Ok I'm back!

With the help of the Microsoft Community, my "System Restore" is enable and working. Didn't know that "System Protection" was the new name for the "System Restore"

So 1st step is done.

Next as requested ...

The FRST log, Malwarebytes log, Zemana log, and then the Sophos log.

 

I've done the steps according to your first reply, and after all the scans & reboots. I went back to my favorite site where I noticed for the first time my "deloton.com" problem; (http://kissanime.ru/), and try downloading an anime again (Rapid Video) and the problem is still present, tried downloading something else from another site and still the same. The way I see it, I might have to reformat in order to get rid of this.

Thanks kevin for your help and get back to me if you have question and/or you find something that may help.

Fixlog.txt

ThreatScan.txt

2018.07.31-01.07.57-i0-t92-d2.txt

SophosVirusRemovalTool.log

Link to post
Share on other sites

23 minutes ago, kevinf80 said:

Does the issue only affect Firefox browser...? if so start Firefox in safemode, see if that clears the problem..

https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

So result of Firefox in safe mode the "deloton.com" still load in the background. And as for MS Edge I got attacked with a ransomware, which I had to kill the MS Edge process to close it.

Link to post
Share on other sites

Run the following:

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)

  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.
Do not use the Remove Selected option until i`ve had a look at the log..

 

Link to post
Share on other sites

Here is the log from RogueKiller

RogueKiller V12.12.29.0 (x64) [Jul 30 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : Yves Beauregard [Administrator]
Started from : C:\Users\Yves Beauregard\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 07/31/2018 14:51:57 (Duration : 00:55:20)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 12 ¤¤¤
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-87212062-4217360125-4181678025-1001\Software\IM -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-87212062-4217360125-4181678025-1001\Software\OCS -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-87212062-4217360125-4181678025-1001\Software\IM -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-87212062-4217360125-4181678025-1001\Software\OCS -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 198.251.50.199 198.251.50.200 ([Canada][Canada])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{35d7d71d-7e12-4018-a90f-ce3ab81b7388} | DhcpNameServer : 198.251.50.199 198.251.50.200 ([Canada][Canada])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{D50627F1-3AD4-4C3E-8617-F4B7B3071549}C:\users\yves beauregard\appdata\local\programs\lnv\stremio\stremio.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\yves beauregard\appdata\local\programs\lnv\stremio\stremio.exe|Name=stremio.exe|Desc=stremio.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{4202B24E-4A29-4D60-9D82-6B7FD32A9B05}C:\users\yves beauregard\appdata\local\programs\lnv\stremio\stremio.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\yves beauregard\appdata\local\programs\lnv\stremio\stremio.exe|Name=stremio.exe|Desc=stremio.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{5E898F3F-C1DB-48EB-A54F-95934BDFB1A6}C:\users\yves beauregard\appdata\local\jdownloader v2.0\jdownloader2.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\yves beauregard\appdata\local\jdownloader v2.0\jdownloader2.exe|Name=JDownloader 2 Launcher|Desc=JDownloader 2 Launcher|Defer=User| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9507C17F-B90D-4554-A71F-1F927EFE1640}C:\users\yves beauregard\appdata\local\jdownloader v2.0\jdownloader2.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\yves beauregard\appdata\local\jdownloader v2.0\jdownloader2.exe|Name=JDownloader 2 Launcher|Desc=JDownloader 2 Launcher|Defer=User| [7] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-87212062-4217360125-4181678025-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-87212062-4217360125-4181678025-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 6 ¤¤¤
[PUP.HackTool][Folder] C:\Windows\AutoKMS -> Found
[PUP.Gen0][File] C:\Windows\SECOH-QAD.exe -> Found
[PUP.uTorrentAds][File] C:\Users\Yves Beauregard\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Found
[PUP.uTorrentAds][File] C:\Users\Yves Beauregard\AppData\Roaming\uTorrent\updates\3.4.9_43295\utorrentie.exe -> Found
[PUP.uTorrentAds][File] C:\Users\Yves Beauregard\AppData\Roaming\uTorrent\updates\3.4.9_43388\utorrentie.exe -> Found
[PUP.HackTool][Folder] C:\Program Files\KMSpico -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Firefox:Config] 3qh0ctl2.default-1508363702733 : user_pref("browser.startup.homepage", "https://mail.google.com/mail/u/0/h/16nw2t5d0xn8p/?tab=wm&zy=g&f=1"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AVDS-63U7B1 ATA Device +++++
--- User ---
[MBR] 5aa5f938b0d391d40ccb9c3886cec77e
[BSP] 746341fceaff571cd17b2add6958f000 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 101900 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 209717248 | Size: 374538 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HP ENVY 5530 series USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


and just in case it's written in Chinese

I haven't use the "Remove Selected", waiting for further instruction.

thanks

 

RogueKiller_Scanlog.txt

Link to post
Share on other sites

Thanks for that log mrusa_666, run RK again, this time let RK complete and remove all found entries.. Post the produced log.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.

Let me see those logs in your reply, also let me know if there are any remaining issues or concerns...

Thank you,

Kevin....

 

Link to post
Share on other sites

Hi kevin,

Here's the logs from RogueKiller & Zemana

After the Zemana scan it display "Clean" then reboot the PC, went and fetch the last log.

I've tried once again to see if the 'deloton.com' was gone but no.

So I'm grateful that you tried to help me but at 60 years old my patience is running thin...

I'll go get my reserve of patience and reformat and start anew.

Again thanks for your patience in trying to help me.

Regards

RogueKiller_Log.txt

2018.07.31-22.09.41-i0-t92-d0.txt

Link to post
Share on other sites

I`m 63, my patience never runs out... If you are making fresh install run one more check for me first please...

Run FRST one more time:

Type or copy/paste the following in the edit box after "Search:".

deloton.*

Click Search Registry button and post the log it makes (SearchReg.txt) to your reply.

Thanks,

Kevin

 

 

Edited by kevinf80
Link to post
Share on other sites

I'm sorry but I searched again making sure that the Asterisk was there and yet still the same.

Could it be because I'm using a newer version of FRST (v. 21.7.2018), also when I load the .exe I get a msg error stating 'Failed to update', is it because I've deleted the "Addition.txt" file. If so I'll have to do a threat scan again.

Here's the re-tried log of FRST Search Reg

SearchReg.txt

Link to post
Share on other sites

1 hour ago, kevinf80 said:

Another blank log... can you recall installing any software that may coincide with the redirection...

If you type apps and features into the search option, then select it you will see a list of installed programs. Next to that list will be an installed date, do any coincide..?

Nope! Nothing is screaming "UNINSTALL ME" ?

In my younger days of computing, I've dealt with Trojan, worms, and the like without any problem but this one got me good.

It's not that this PUP does anything damaging but it's just annoying having to close 2 tabs every time I need to download an anime.

FYI before asking for help I did a search in the windows registry without any success.

Link to post
Share on other sites

Here are the last logs (I hope)

And after 3 attempt at downloading my anime... Drum roll please... success no trace of deloton.com

But I'm still keeping my fingers crossed. BTW do you know it's really hard to type with your fingers crossed.

Anyway Kevin, you've been a tremendous help guiding me through this ordeal, and encouraging me to persevere to rid myself of this annoyance.

Malware_Threat_Scan.txt

HitmanPro_20180801_2019.log

2018.08.01-19.33.20-i0-t92-d1.txt

Link to post
Share on other sites

That is good news mr_usa666, i`m always persistant when chasing such PIA`s. Also just to confirm paypal payment, thank you very much indeed...

To clean up do the following:

Delete RogueKiller portable from your Desktop, also delete this folder if present: C:\ProgramData\RogueKiller

Next,

Uninstall Sophos AV and Zemana http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.