Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus Denying Internet Access (Certificate issue?)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 10th, 2017, 10:59 pm

Hi there, here are the two logs I had to post.

FRST.txt

Addition.txt


My description of my problem is as follows:

Installed some unpleasant malware yesterday and while I've cleaned the bulk of it up, this is the only thing that still remains. I use Google Chrome on Windows 10 and every time I search something that isn't a URL I get the following error message:
    Your connection is not private

    Attackers might be trying to steal your information from http://www.google.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

If I were to type in a URL, it works fine and it takes me to the site with no issues at all (unless it is Youtube, I can visit the site but it's just a broken mess). I'm able to type in search engines like msn.com and I can use their search function without using a URL with no issues at all. From what research I gathered about CERT_AUTHORITY_INVALID, it appears as though the issue is regarding Google Chrome not finding the certificate of whatever I'm searching as a secure one. The two antivirus programs I'm using are MalwareBytes (free version) and Windows Defender. Tried to remedy this thing for approximately 7 hours and I'm all out of ideas, please help! :(
You do not have the required permissions to view the files attached to this post.
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm
Advertisement
Register to Remove

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby pgmigg » January 10th, 2017, 11:15 pm

Hello JustTheEngineer,

Welcome to the forum! :)

I am pgmigg and I'll be helping you with any malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process until we are done as well as
    DO NOT Remove, or Scan with anything on your system unless I ask. This adds more items to be researched.
    Extra Additions and Removals of files make the analysis more difficult.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:
    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4535
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 11th, 2017, 12:00 am

Hey, pgmigg, thanks for offering your help. I'll back up my computer now.
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby pgmigg » January 11th, 2017, 1:20 am

Hello JustTheEngineer,

Step 1.
Create a System Restore Point
  1. Right-click on the Start button and select System.
  2. In the left pane, click System protection. If UAC prompts, allow it. The separate window System Properties will be opened on System Protection tab.
  3. Under Protection Settings select disk C:, then click on Configure... button below.
  4. Click on Turn on system protection.
  5. Under Disk Space Usage adjust Max Usage to 5%.
  6. Click Apply, then OK buttons.
  7. Click Create... button.
  8. In the System Protection dialog box, type a description, then click Create.
    A Restore Point will be created and you should receive a message: "The restore point was created successfully."
  9. Click Close and exit.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
Create a Backup With Tweaking.com Registry Backup (TCRB)
There is also a tutorial with pictures available HERE.
  1. Please download TCRB from HERE and save it to your Desktop.
  2. Double-click on tweaking.com_registry_backup_setup.exe and follow the prompts to install TCRB.
  3. Launch TCRB.
  4. Click the Backup Registry tab and make sure all the boxes are checked.
  5. Click on Backup Now.
  6. Once the backup is finished you can now exit the program.
< STOP > Do not proceed any further if you were not able to create a registry backup. Post back with what happened so we can determine why it was unsuccessful.

Step 3.
Run CKScanner
  1. Please download CKScanner from here
  2. Important: - Save it to your Desktop.
  3. Double-click CKScanner.exe and click Search For Files.
  4. After a very short time, when the cursor hourglass disappears, click Save List To File.
  5. A message box will verify the file saved.
  6. Double-click the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Step 4.
TSG - SysInfo utility
  1. Please download SysInfo.exe and save it to your Desktop.
  2. Right click SysInfo.exe and select "Run As Administrator" to run it... if UAC prompts, please allow it.
  3. The small square window will be opened with already highlighted text - please right click on it, select Copy and then paste it in your next post.

Then:
Please tell me is this computer used for business purposes and/or connected to a business network?
I need to know it - so I can provide the proper instructions.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

Don't post anything as attachments unless I will ask you about it specifically!

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of CKFiles.txt log file
  3. Contents of TSG - SysInfo utility
  4. Answer to my question related to type of using of your computer

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4535
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 11th, 2017, 8:30 pm

B.

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.XMAAR0
----- EOF -----
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 11th, 2017, 8:31 pm

D.

Tech Support Guy System Info Utility version 1.0.0.4
OS Version: Microsoft Windows 10 Home, 64 bit
Processor: Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz, Intel64 Family 6 Model 60 Stepping 3
Processor Count: 8
RAM: 8143 Mb
Graphics Card: NVIDIA GeForce GTX 770, -2048 Mb
Hard Drives: C: 111 GB (0 GB Free); G: 931 GB (394 GB Free);
Motherboard: ASRock, Z97 Killer
Antivirus: Windows Defender, Enabled and Updated
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 11th, 2017, 8:32 pm

A. and D. (above post meant to be C., sorry)

I had no problems executing the instructions.

This computer is used for some of my schoolwork but primarily for my own recreational use at home.
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby pgmigg » January 12th, 2017, 1:29 am

Hello JustTheEnginee,

OK. Good. Let start out treatment... :)

Step 1.
FRST Fix
  1. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
  2. Please press the Windows Key + R.
  3. Type notepad.exe into the text box and click OK.
  4. A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, but do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    CreateRestorePoint:
    
    HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [EYRKE24C10] => "C:\Program Files\IC2V2WYVYK\IC2V2WYVY.exe"
    HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe <===== ATTENTION
    HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [NUNFA29225] => "C:\Program Files\2A2LPM4EMV\2A2LPM4EM.exe"
    HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [8OWUXWBOLA] => "C:\Program Files\WULGW5D5I7\WULGW5D5I.exe"
    HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [CREBFQSHC2] => "C:\Program Files\4W0W2ATTVO\OOUXACVEO.exe"
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-233390903-2661952563-451428824-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    CHR HomePage: Default -> hxxp://www-searching.com/?pid=s&s=H1Azftptn095001BU,99d2d407-79a2-423f-bfc9-5a32c9d22a91,&vp=ch&prd=set_ch
    CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=H1Azftptn095001BU,99d2d407-79a2-423f-bfc9-5a32c9d22a91,&vp=ch&prd=set_ch"
    S1 QMUdisk; \??\G:\New folder (2)\QQPCMgr\11.5.17480.801\QMUdisk64.sys [X]
    FirewallRules: [{37A44789-887F-4CA6-8ACF-C952769083E9}] => C:\Users\Primitive\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{2031FA55-552B-4B93-A5AE-72E51F6A14C1}] => C:\Users\Primitive\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{97E16202-4044-4F0F-9BF2-84A496F9CD3C}] => ?????????????????????????
    FirewallRules: [{E5FB93B2-C21A-4215-90F2-2B657ABA1B03}] => ?????????????????????????e
    FirewallRules: [{40FFEEF4-8644-4556-A6C6-AD56BA9C3C94}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
    FirewallRules: [{6EBFBA97-8AB9-487C-AE84-C00896D56CF6}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
    FirewallRules: [TCP Query User{C128DD8E-6669-4F8C-A7CC-4CF4B15680EE}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
    FirewallRules: [UDP Query User{B861456E-70E4-469F-8B4F-7F0BF6105783}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
    Task: {261E3E8C-3AD7-4C4D-8AA9-783CF4434369} - \{090E0447-0D79-7F0A-7D11-0B0F7A791178} -> No File <==== ATTENTION
    Task: {36B00A86-14C3-41A7-B53D-1E7ADF3EF867} - \AutoKMS -> No File <==== ATTENTION
    Task: {65B50D4F-1AFF-436B-BC6B-F129C6A6B586} - \KMSAutoNet -> No File <==== ATTENTION
    Task: {777CF6EA-4249-47B6-A683-FE7135473D41} - \{2287B3D0-B907-4177-80BB-5FF6B8136810} -> No File <==== ATTENTION
    Task: {A30D90C7-A77F-4157-8682-6BEA2B13BD31} - \SwiftPCOptimizer -> No File <==== ATTENTION
    Task: {A6004B45-D432-4BF3-88FF-141BF7861078} - \SwiftPCOptimizer_Start -> No File <==== ATTENTION
    Task: {AC6523D9-CF90-4522-B591-AA44718C9766} - \{112A8B3F-1DAE-489F-8929-1C94F206F211} -> No File <==== ATTENTION
    TTask: {D8A06427-5D05-4CE1-BE41-5F3886ED06BC} - \{422AEE5F-5505-466A-BA11-DE3F57D65AA8} -> No File <==== ATTENTION
    Task: {E8283A05-12C4-4092-B1F0-6EDD015C702A} - \{504E3221-1CBB-4D6A-BF66-4695DD06B783} -> No File <==== ATTENTION
    C:\program files (x86)\google\chrome\application\chrome334.exe
    G:\New folder (2)\QQPCMgr\11.5.17480.801\QMUdisk64.sys
    C:\Users\Primitive\AppData\Local\Temp\8F19.tmp.exe
    C:\Users\Primitive\AppData\Local\Temp\BrowserAir.exe
    C:\Users\Primitive\AppData\Local\Temp\condefclean.exe
    C:\Users\Primitive\AppData\Local\Temp\InstallHelper.exe
    C:\Users\Primitive\AppData\Local\Temp\jre-8u101-windows-au.exe
    C:\Users\Primitive\AppData\Local\Temp\libeay32.dll
    C:\Users\Primitive\AppData\Local\Temp\msvcr120.dll
    C:\Users\Primitive\AppData\Local\Temp\nvSCPAPI.dll
    C:\Users\Primitive\AppData\Local\Temp\nvSCPAPI64.dll
    C:\Users\Primitive\AppData\Local\Temp\nvscpapisvr.exe
    C:\Users\Primitive\AppData\Local\Temp\nvStInst.exe
    C:\Users\Primitive\AppData\Local\Temp\PidGenX.dll
    C:\Users\Primitive\AppData\Local\Temp\QQPCDOWNLOAD74707.EXE
    C:\Users\Primitive\AppData\Local\Temp\sqlite3.dll
    C:\Users\Primitive\AppData\Local\Temp\SynciosDeviceService.exe
    C:\Users\Primitive\AppData\Local\Temp\tu17p84.exe
    C:\Users\Primitive\AppData\Local\Temp\Uninstall.exe
    C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_280234.exe
    C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_61000.exe
    C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_72171.exe
    Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden <==== ATTENTION
    
    Folder: C:\Program Files\4W0W2ATTVO
    Folder: C:\Program Files\WULGW5D5I7
    Folder: C:\Program Files\2A2LPM4EMV
    Folder: C:\Program Files\IC2V2WYVYK
    Folder: C:\Users\Primitive\AppData\Roaming\uTorrent
    
    Hosts:
    EmptyTemp:
    CMD: ipconfig /flushdns
  5. Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  6. Right click on FRST64.exe and select Run as administrator.
  7. Press the Fix button one time only and wait.
  8. When FRST finishes you will be prompted to reboot your computer. Click OK.
  9. Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step 2.
AdwCleaner - Scan Only
  1. Please download AdwCleaner (today it is version 6.042) and save it to your Desktop.
  2. Close all open programs and windows so that you are at your Desktop.
  3. Right click on adwcleaner.exe and click Run as administrator...
  4. Click on the Scan button.
  5. When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep." Do not attempt to clean anything at this point.
  6. Click on the Logfile button. This will open a file, AdwCleaner[S1].txt. Copy and paste the contents of that log file in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the fixlog.txt log file
  3. Contents of the AdwCleaner[Sn].txt log file
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4535
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 12th, 2017, 7:20 pm

A. I had no issues executing any of the things you told me to.
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 12th, 2017, 7:20 pm

B.

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-01-2017
Ran by Primitive (12-01-2017 17:08:26) Run:1
Running from C:\Users\Primitive\Downloads
Loaded Profiles: Primitive (Available Profiles: Primitive)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:

HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [EYRKE24C10] => "C:\Program Files\IC2V2WYVYK\IC2V2WYVY.exe"
HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe <===== ATTENTION
HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [NUNFA29225] => "C:\Program Files\2A2LPM4EMV\2A2LPM4EM.exe"
HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [8OWUXWBOLA] => "C:\Program Files\WULGW5D5I7\WULGW5D5I.exe"
HKU\S-1-5-21-233390903-2661952563-451428824-1001\...\Run: [CREBFQSHC2] => "C:\Program Files\4W0W2ATTVO\OOUXACVEO.exe"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-233390903-2661952563-451428824-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR HomePage: Default -> hxxp://www-searching.com/?pid=s&s=H1Azf ... prd=set_ch
CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=H1Azftptn095001BU,99d2d407-79a2-423f-bfc9-5a32c9d22a91,&vp=ch&prd=set_ch"
S1 QMUdisk; \??\G:\New folder (2)\QQPCMgr\11.5.17480.801\QMUdisk64.sys [X]
FirewallRules: [{37A44789-887F-4CA6-8ACF-C952769083E9}] => C:\Users\Primitive\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2031FA55-552B-4B93-A5AE-72E51F6A14C1}] => C:\Users\Primitive\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{97E16202-4044-4F0F-9BF2-84A496F9CD3C}] => ?????????????????????????
FirewallRules: [{E5FB93B2-C21A-4215-90F2-2B657ABA1B03}] => ?????????????????????????e
FirewallRules: [{40FFEEF4-8644-4556-A6C6-AD56BA9C3C94}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{6EBFBA97-8AB9-487C-AE84-C00896D56CF6}] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [TCP Query User{C128DD8E-6669-4F8C-A7CC-4CF4B15680EE}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{B861456E-70E4-469F-8B4F-7F0BF6105783}C:\program files (x86)\google\chrome\application\chrome334.exe] => C:\program files (x86)\google\chrome\application\chrome334.exe
Task: {261E3E8C-3AD7-4C4D-8AA9-783CF4434369} - \{090E0447-0D79-7F0A-7D11-0B0F7A791178} -> No File <==== ATTENTION
Task: {36B00A86-14C3-41A7-B53D-1E7ADF3EF867} - \AutoKMS -> No File <==== ATTENTION
Task: {65B50D4F-1AFF-436B-BC6B-F129C6A6B586} - \KMSAutoNet -> No File <==== ATTENTION
Task: {777CF6EA-4249-47B6-A683-FE7135473D41} - \{2287B3D0-B907-4177-80BB-5FF6B8136810} -> No File <==== ATTENTION
Task: {A30D90C7-A77F-4157-8682-6BEA2B13BD31} - \SwiftPCOptimizer -> No File <==== ATTENTION
Task: {A6004B45-D432-4BF3-88FF-141BF7861078} - \SwiftPCOptimizer_Start -> No File <==== ATTENTION
Task: {AC6523D9-CF90-4522-B591-AA44718C9766} - \{112A8B3F-1DAE-489F-8929-1C94F206F211} -> No File <==== ATTENTION
TTask: {D8A06427-5D05-4CE1-BE41-5F3886ED06BC} - \{422AEE5F-5505-466A-BA11-DE3F57D65AA8} -> No File <==== ATTENTION
Task: {E8283A05-12C4-4092-B1F0-6EDD015C702A} - \{504E3221-1CBB-4D6A-BF66-4695DD06B783} -> No File <==== ATTENTION
C:\program files (x86)\google\chrome\application\chrome334.exe
G:\New folder (2)\QQPCMgr\11.5.17480.801\QMUdisk64.sys
C:\Users\Primitive\AppData\Local\Temp\8F19.tmp.exe
C:\Users\Primitive\AppData\Local\Temp\BrowserAir.exe
C:\Users\Primitive\AppData\Local\Temp\condefclean.exe
C:\Users\Primitive\AppData\Local\Temp\InstallHelper.exe
C:\Users\Primitive\AppData\Local\Temp\jre-8u101-windows-au.exe
C:\Users\Primitive\AppData\Local\Temp\libeay32.dll
C:\Users\Primitive\AppData\Local\Temp\msvcr120.dll
C:\Users\Primitive\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Primitive\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Primitive\AppData\Local\Temp\nvscpapisvr.exe
C:\Users\Primitive\AppData\Local\Temp\nvStInst.exe
C:\Users\Primitive\AppData\Local\Temp\PidGenX.dll
C:\Users\Primitive\AppData\Local\Temp\QQPCDOWNLOAD74707.EXE
C:\Users\Primitive\AppData\Local\Temp\sqlite3.dll
C:\Users\Primitive\AppData\Local\Temp\SynciosDeviceService.exe
C:\Users\Primitive\AppData\Local\Temp\tu17p84.exe
C:\Users\Primitive\AppData\Local\Temp\Uninstall.exe
C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_280234.exe
C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_61000.exe
C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_72171.exe
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden <==== ATTENTION

Folder: C:\Program Files\4W0W2ATTVO
Folder: C:\Program Files\WULGW5D5I7
Folder: C:\Program Files\2A2LPM4EMV
Folder: C:\Program Files\IC2V2WYVYK
Folder: C:\Users\Primitive\AppData\Roaming\uTorrent

Hosts:
EmptyTemp:
CMD: ipconfig /flushdns
*****************

Restore point was successfully created.
HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Run\\EYRKE24C10 => value removed successfully
HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Itibiti.exe => value removed successfully
HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Run\\NUNFA29225 => value removed successfully
HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Run\\8OWUXWBOLA => value removed successfully
HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Run\\CREBFQSHC2 => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-233390903-2661952563-451428824-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
HKLM\System\CurrentControlSet\Services\QMUdisk => key removed successfully
QMUdisk => service removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{37A44789-887F-4CA6-8ACF-C952769083E9} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2031FA55-552B-4B93-A5AE-72E51F6A14C1} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{97E16202-4044-4F0F-9BF2-84A496F9CD3C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E5FB93B2-C21A-4215-90F2-2B657ABA1B03} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{40FFEEF4-8644-4556-A6C6-AD56BA9C3C94} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6EBFBA97-8AB9-487C-AE84-C00896D56CF6} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{C128DD8E-6669-4F8C-A7CC-4CF4B15680EE}C:\program files (x86)\google\chrome\application\chrome334.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{B861456E-70E4-469F-8B4F-7F0BF6105783}C:\program files (x86)\google\chrome\application\chrome334.exe => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{261E3E8C-3AD7-4C4D-8AA9-783CF4434369} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{261E3E8C-3AD7-4C4D-8AA9-783CF4434369} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{090E0447-0D79-7F0A-7D11-0B0F7A791178} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{36B00A86-14C3-41A7-B53D-1E7ADF3EF867} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{36B00A86-14C3-41A7-B53D-1E7ADF3EF867} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{65B50D4F-1AFF-436B-BC6B-F129C6A6B586} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{65B50D4F-1AFF-436B-BC6B-F129C6A6B586} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KMSAutoNet => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{777CF6EA-4249-47B6-A683-FE7135473D41} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{777CF6EA-4249-47B6-A683-FE7135473D41} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2287B3D0-B907-4177-80BB-5FF6B8136810} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A30D90C7-A77F-4157-8682-6BEA2B13BD31} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A30D90C7-A77F-4157-8682-6BEA2B13BD31} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SwiftPCOptimizer => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A6004B45-D432-4BF3-88FF-141BF7861078} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6004B45-D432-4BF3-88FF-141BF7861078} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SwiftPCOptimizer_Start => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC6523D9-CF90-4522-B591-AA44718C9766} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC6523D9-CF90-4522-B591-AA44718C9766} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{112A8B3F-1DAE-489F-8929-1C94F206F211} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\T{D8A06427-5D05-4CE1-BE41-5F3886ED06BC} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeT\{422AEE5F-5505-466A-BA11-DE3F57D65AA8} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E8283A05-12C4-4092-B1F0-6EDD015C702A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E8283A05-12C4-4092-B1F0-6EDD015C702A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{504E3221-1CBB-4D6A-BF66-4695DD06B783} => key removed successfully
"C:\program files (x86)\google\chrome\application\chrome334.exe" => not found.
"G:\New folder (2)\QQPCMgr\11.5.17480.801\QMUdisk64.sys" => not found.
C:\Users\Primitive\AppData\Local\Temp\8F19.tmp.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\BrowserAir.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\condefclean.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\InstallHelper.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\jre-8u101-windows-au.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\libeay32.dll => moved successfully
C:\Users\Primitive\AppData\Local\Temp\msvcr120.dll => moved successfully
C:\Users\Primitive\AppData\Local\Temp\nvSCPAPI.dll => moved successfully
C:\Users\Primitive\AppData\Local\Temp\nvSCPAPI64.dll => moved successfully
C:\Users\Primitive\AppData\Local\Temp\nvscpapisvr.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\nvStInst.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\PidGenX.dll => moved successfully
C:\Users\Primitive\AppData\Local\Temp\QQPCDOWNLOAD74707.EXE => moved successfully
C:\Users\Primitive\AppData\Local\Temp\sqlite3.dll => moved successfully
C:\Users\Primitive\AppData\Local\Temp\SynciosDeviceService.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\tu17p84.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\Uninstall.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_280234.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_61000.exe => moved successfully
C:\Users\Primitive\AppData\Local\Temp\uninstall_temp_72171.exe => moved successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}\\SystemComponent => value removed successfully

========================= Folder: C:\Program Files\4W0W2ATTVO ========================

2017-01-09 23:46 - 2017-01-09 23:46 - 0000037 _____ () C:\Program Files\4W0W2ATTVO\cast.config
2017-01-09 23:46 - 2017-01-09 23:46 - 0001275 _____ () C:\Program Files\4W0W2ATTVO\OOUXACVEO.exe.config
2017-01-09 23:46 - 2017-01-09 23:46 - 0010752 _____ (UUY77_) C:\Program Files\4W0W2ATTVO\uninstaller.exe
2017-01-09 23:46 - 2017-01-09 23:46 - 0001275 _____ () C:\Program Files\4W0W2ATTVO\uninstaller.exe.config

====== End of Folder: ======


========================= Folder: C:\Program Files\WULGW5D5I7 ========================

2017-01-09 21:59 - 2017-01-09 21:59 - 0000036 _____ () C:\Program Files\WULGW5D5I7\cast.config
2017-01-09 21:59 - 2017-01-09 21:59 - 0010752 _____ (UUY77_) C:\Program Files\WULGW5D5I7\uninstaller.exe
2017-01-09 21:59 - 2017-01-09 21:59 - 0001275 _____ () C:\Program Files\WULGW5D5I7\uninstaller.exe.config
2017-01-09 21:59 - 2017-01-09 21:59 - 0001275 _____ () C:\Program Files\WULGW5D5I7\WULGW5D5I.exe.config

====== End of Folder: ======


========================= Folder: C:\Program Files\2A2LPM4EMV ========================

2017-01-09 21:53 - 2017-01-09 21:53 - 0001275 _____ () C:\Program Files\2A2LPM4EMV\2A2LPM4EM.exe.config
2017-01-09 21:53 - 2017-01-09 21:53 - 0000036 _____ () C:\Program Files\2A2LPM4EMV\cast.config
2017-01-09 21:53 - 2017-01-09 21:53 - 0010752 _____ (UUY77_) C:\Program Files\2A2LPM4EMV\uninstaller.exe
2017-01-09 21:53 - 2017-01-09 21:53 - 0001275 _____ () C:\Program Files\2A2LPM4EMV\uninstaller.exe.config

====== End of Folder: ======


========================= Folder: C:\Program Files\IC2V2WYVYK ========================

2017-01-09 21:52 - 2017-01-09 21:52 - 0000036 _____ () C:\Program Files\IC2V2WYVYK\cast.config
2017-01-09 21:52 - 2017-01-09 21:52 - 0001275 _____ () C:\Program Files\IC2V2WYVYK\IC2V2WYVY.exe.config
2017-01-09 21:52 - 2017-01-09 21:52 - 0010752 _____ (UUY77_) C:\Program Files\IC2V2WYVYK\uninstaller.exe
2017-01-09 21:52 - 2017-01-09 21:52 - 0001275 _____ () C:\Program Files\IC2V2WYVYK\uninstaller.exe.config

====== End of Folder: ======


========================= Folder: C:\Users\Primitive\AppData\Roaming\uTorrent ========================

2017-01-09 21:49 - 2017-01-09 21:53 - 0008135 _____ () C:\Users\Primitive\AppData\Roaming\uTorrent\settings.dat
2017-01-09 21:49 - 2017-01-09 21:49 - 0008067 _____ () C:\Users\Primitive\AppData\Roaming\uTorrent\settings.dat.old
2017-01-09 21:53 - 2017-01-09 21:53 - 0000251 _____ () C:\Users\Primitive\AppData\Roaming\uTorrent\toolbar.benc
2017-01-09 21:53 - 2017-01-09 21:53 - 0000194 _____ () C:\Users\Primitive\AppData\Roaming\uTorrent\updates.dat
2017-01-09 21:49 - 2017-01-09 21:49 - 0000000 ____D () C:\Users\Primitive\AppData\Roaming\uTorrent\share
2017-01-09 21:53 - 2017-01-09 21:53 - 0000000 ____D () C:\Users\Primitive\AppData\Roaming\uTorrent\updates

====== End of Folder: ======

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 48045 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13803978 B
Java, Flash, Steam htmlcache => 131578 B
Windows/system/drivers => 1718178171 B
Edge => 3090736 B
Chrome => 213957135 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 5885 B
NetworkService => 56104 B
Primitive => 41294000728 B

RecycleBin => 641268 B
EmptyTemp: => 40.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:09:06 ====
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 12th, 2017, 7:21 pm

C.

# AdwCleaner v6.042 - Logfile created 12/01/2017 at 18:16:30
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-11.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : Primitive - RANY
# Running from : C:\Users\Primitive\Downloads\adwcleaner_6.042.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found: AppalmaaZ


***** [ Folders ] *****

Folder Found: C:\Users\Primitive\AppData\Local\28050
Folder Found: C:\Users\Primitive\AppData\Local\YSearchUtil
Folder Found: C:\Users\Primitive\AppData\Roaming\Tencent
Folder Found: C:\ProgramData\Tencent
Folder Found: C:\ProgramData\AppalmaaZ
Folder Found: C:\ProgramData\Application Data\Tencent
Folder Found: C:\ProgramData\Application Data\AppalmaaZ
Folder Found: C:\Users\Public\Documents\Guid
Folder Found: C:\Program Files (x86)\AnonymizerGadget
Folder Found: C:\Program Files (x86)\BestCleaner
Folder Found: C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil


***** [ Files ] *****

File Found: C:\Users\Primitive\Desktop\SysInfo.exe
File Found: C:\WINDOWS\SysNative\drivers\TFsFltX64.sys
File Found: C:\Users\Primitive\AppData\Local\aatxtname.txt
File Found: C:\Users\Primitive\AppData\Local\tr5b.txt


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WindowService
Key Found: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WindowService
Key Found: HKLM\SOFTWARE\Classes\metnsd
Key Found: HKLM\SOFTWARE\Classes\qmgcfiles
Key Found: [x64] HKLM\SOFTWARE\Classes\metnsd
Key Found: [x64] HKLM\SOFTWARE\Classes\qmgcfiles
Key Found: HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
Key Found: HKLM\SOFTWARE\Classes\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}
Key Found: HKLM\SOFTWARE\Classes\AppID\{C81BED3B-31BD-491F-813D-78EFC2638CE1}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{D42C3A49-ABAF-464B-BBCE-991C3DD395E8}
Key Found: HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Found: HKLM\SOFTWARE\Classes\Interface\{BF8946CD-EEBE-436B-8282-B19A021C9EFE}
Key Found: HKLM\SOFTWARE\Classes\TypeLib\{38DD0B4A-E4E0-4A57-99EE-DCCB185B4728}
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{29B6CFD5-0064-411A-8C42-9890C83F9921}
Key Found: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\INSTALLPATH\STATUS
Key Found: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\winmnt
Key Found: HKCU\Software\INSTALLPATH\STATUS
Key Found: HKCU\Software\winmnt
Key Found: HKLM\SOFTWARE\SecureWebChannel
Key Found: HKLM\SOFTWARE\IDOT
Key Found: HKLM\SOFTWARE\mtAppalmaaZ
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
Key Found: [x64] HKCU\Software\INSTALLPATH\STATUS
Key Found: [x64] HKCU\Software\winmnt
Key Found: [x64] HKLM\SOFTWARE\IDOT
Key Found: [x64] HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
Key Found: [x64] HKLM\SOFTWARE\HDWallpaper
Key Found: [x64] HKLM\SOFTWARE\DtsEncodeTools
Key Found: HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
Key Found: HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
Key Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
Key Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
Key Found: [x64] HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
Key Found: [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
Data Found: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [Default] - hxxp://%66%65%65%64.%68%65%6C%70%65%72% ... 4sjWoJtlQg
Key Found: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www-searching.com
Key Found: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www-searching.com
Key Found: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www-searching.c
Key Found: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www-searching.com
Value Found: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Itibiti.exe]
Value Found: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [interpee]
Value Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [interpee]
Value Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [interpee]
Value Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [vnlgp]
Value Found: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Interstatnogui]
Key Found: HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
Key Found: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP
Key Found: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP
Key Found: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
Key Found: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
Key Found: HKEY_CLASSES_ROOT\.qmgc
Key Found: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\AppalmaaZ.exe


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found: [C:\Users\Primitive\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - jlcgehabolcakkjhgmgpkagpolbjlhfa

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [6950 Bytes] - [12/01/2017 18:16:30]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7023 Bytes] ##########
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 12th, 2017, 7:22 pm

D.

Yes, I have seen my computer behave differently! Fortunately, I can now search things fine on Google Chrome as if there is nothing wrong with my computer! I figure you'll give instructions next on the 73 threats the AdwCleaner found and I should be ready for the all-clear!
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby pgmigg » January 13th, 2017, 1:29 am

Hello JustTheEnginee,

JustTheEnginee wrote:Yes, I have seen my computer behave differently! Fortunately, I can now search things fine on Google Chrome as if there is nothing wrong with my computer! I figure you'll give instructions next on the 73 threats the AdwCleaner found and I should be ready for the all-clear!
Glad to hear it, but please do not rush - we have not finished the study and treatment. Lack of overt symptoms does not mean that your computer is completely clean! :D
Let's continue...

Step 1.
AdwCleaner - Scan and Clean
  1. You should still have adwcleaner_6.042.exe in your Downloads folder. If not please download it from HERE.
  2. Please copy/move that file from Downloads to Desktop.
  3. Close all open programs and windows.
  4. Right click on adwcleaner_6.042.exe and click Run as administrator.
  5. Click on the Scan button.
  6. When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep."
  7. Click on Clean button.
  8. Once finished AdwCleaner will prompt you to reboot. Please allow it to do so.
  9. On reboot a log will open AdwCleaner[S1].txt. Copy and paste the contents of that log file in your reply.

Step 2.
Fresh FRST64 Scan
You should still have FRST64.exe on your Desktop.
  1. Right-click FRST64.exe and select "Run as administrator..." to run it.
  2. When the tool opens click Yes to the disclaimer if it is occurred.
  3. Please be sure that 90 Days Files check box under Optional Scan section is unchecked.
  4. Please be sure that Addition.txt check box under Optional Scan section is checked.
  5. Press Scan button. When finished a log will be created, FRST.txt.
  6. Please post the content of the FRST.txt in your next reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please don't post your logs as attached files unless I ask for it!

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the AdwCleaner[S1].txt log file after fresh FRST scan
  3. Contents of the FRST.txt log file after fresh FRST scan
  4. Contents of the Addition.txt log file after fresh FRST scan
  5. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4535
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 13th, 2017, 6:26 pm

A. No problems at all.
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm

Re: Virus Denying Internet Access (Certificate issue?)

Unread postby JustTheEngineer » January 13th, 2017, 6:26 pm

B.

# AdwCleaner v6.042 - Logfile created 13/01/2017 at 17:21:29
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-11.1 [Local]
# Operating System : Windows 10 Home (X64)
# Username : Primitive - RANY
# Running from : C:\Users\Primitive\Desktop\adwcleaner_6.042 - Copy.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: AppalmaaZ


***** [ Folders ] *****

[-] Folder deleted: C:\Users\Primitive\AppData\Local\28050
[-] Folder deleted: C:\Users\Primitive\AppData\Local\YSearchUtil
[-] Folder deleted: C:\Users\Primitive\AppData\Roaming\Tencent
[-] Folder deleted: C:\ProgramData\Tencent
[-] Folder deleted: C:\ProgramData\AppalmaaZ
[#] Folder deleted on reboot: C:\ProgramData\Application Data\Tencent
[#] Folder deleted on reboot: C:\ProgramData\Application Data\AppalmaaZ
[-] Folder deleted: C:\Users\Public\Documents\Guid
[-] Folder deleted: C:\Program Files (x86)\AnonymizerGadget
[-] Folder deleted: C:\Program Files (x86)\BestCleaner
[-] Folder deleted: C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil


***** [ Files ] *****

[-] File deleted: C:\Users\Primitive\Desktop\SysInfo.exe
[-] File deleted: C:\WINDOWS\SysNative\drivers\TFsFltX64.sys
[-] File deleted: C:\Users\Primitive\AppData\Local\aatxtname.txt
[-] File deleted: C:\Users\Primitive\AppData\Local\tr5b.txt


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WindowService
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\WindowService
[-] Key deleted: HKLM\SOFTWARE\Classes\metnsd
[-] Key deleted: HKLM\SOFTWARE\Classes\qmgcfiles
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\metnsd
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\qmgcfiles
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{C81BED3B-31BD-491F-813D-78EFC2638CE1}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{D42C3A49-ABAF-464B-BBCE-991C3DD395E8}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{BF8946CD-EEBE-436B-8282-B19A021C9EFE}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{38DD0B4A-E4E0-4A57-99EE-DCCB185B4728}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{29B6CFD5-0064-411A-8C42-9890C83F9921}
[-] Key deleted: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\INSTALLPATH\STATUS
[-] Key deleted: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\winmnt
[#] Key deleted on reboot: HKCU\Software\INSTALLPATH\STATUS
[#] Key deleted on reboot: HKCU\Software\winmnt
[-] Key deleted: HKLM\SOFTWARE\SecureWebChannel
[-] Key deleted: HKLM\SOFTWARE\IDOT
[-] Key deleted: HKLM\SOFTWARE\mtAppalmaaZ
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
[#] Key deleted on reboot: [x64] HKCU\Software\INSTALLPATH\STATUS
[#] Key deleted on reboot: [x64] HKCU\Software\winmnt
[-] Key deleted: [x64] HKLM\SOFTWARE\IDOT
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
[-] Key deleted: [x64] HKLM\SOFTWARE\HDWallpaper
[-] Key deleted: [x64] HKLM\SOFTWARE\DtsEncodeTools
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Data restored: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [Default]
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www-searching.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www-searching.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www-searching.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www-searching.com
[-] Value deleted: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Itibiti.exe]
[-] Value deleted: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [interpee]
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [interpee]
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [interpee]
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [vnlgp]
[-] Value deleted: HKU\S-1-5-21-233390903-2661952563-451428824-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Interstatnogui]
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
[-] Key deleted: HKEY_CLASSES_ROOT\.qmgc
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\AppalmaaZ.exe


***** [ Web browsers ] *****

[-] [C:\Users\Primitive\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: jlcgehabolcakkjhgmgpkagpolbjlhfa


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [7236 Bytes] - [13/01/2017 17:21:29]
C:\AdwCleaner\AdwCleaner[S0].txt - [7174 Bytes] - [12/01/2017 18:16:30]
C:\AdwCleaner\AdwCleaner[S1].txt - [7251 Bytes] - [13/01/2017 17:19:32]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [7455 Bytes] ##########
vvvvvvvvvvvvvvvvvvvvvvvvv
JustTheEngineer
Regular Member
 
Posts: 57
Joined: January 10th, 2017, 10:43 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 81 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware