Report

Unable to run Appplications [Solved]

Ask a question billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Last answered on Jun 9, 2016 05:40PM
I think I have been infected by a virus!
1. On start up I get a script error 80070002 saying C:\WINDOWS\run.vbs.
2. I am unable to access many web pages- I get messages saying DNS look up failed
3. I am unable to run the malware applications that I downloaded via my other network PC and transferred onto the infected one. It just doesn't allow me to go through the set up!
I have Windows 8.1.
Can you please help with step by step instructions?
Many thanks!
Bill
See more 
Helpful
+0
moins plus
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
http://www.nicolascoolman.fr/download/zhpdiag/
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

http://www.speedyshare.com/

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from Speedyshare and paste it here in your reply.
Ambucias
Moderator and Virus/Security Contributor
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 7, 2016 02:25PM
Thanks for trying to help. I had to download the ZHPdiag on another computer which is on the same network as the infected one and then move it across. (Because I cant seem to open any web pages)
Here is the link to the txt document. Pls let me know what i should do next
http://speedy.sh/cYCFT/ZHPDiag.txt
Reply
Ambucias 35265Posts mardi 2 février 2010Registration date ModeratorStatus December 9, 2016 Last seen - Jun 7, 2016 04:35PM
Thank you, stand by for the medicinal compound.
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 7, 2016 04:53PM
Thank you!!
Reply
Add comment
Helpful
+0
moins plus
Hello,

Should I call you Bill? No wonder you are having problems! Thank you for this interesting case.

You are correct, you DNS Host has been hijacked ! In conjunction with the hijacking is a Heuristic Trojan Horse (graftor), a proxy hijacker and to top it all off heuristic install core, not to mention the adware and spyware.

I can see any active antivirus programme !!!

Since your computer is on a network with another computer, I will ask that you run the following tool on both computers as malware can sometimes cross over.

The following tool (ZHPCleaner) will do most of the rough job and should remove the hijackers. The tool is safe for all of your data.

1. Download it and run it on both computers

http://www.nicolascoolman.com/fr/download/zhpcleaner-2/

2. Post the Cleaner"s report on this thread and then upload a new ZHP Diag report on Speedyshare.

3. Once I have analyzed your reports and shall be able to instruct you to clean the rest of dirt and make make your computer safer.

As they used to say in the army, ruts a ruck!
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen billyavi - Jun 7, 2016 06:06PM
After several tries I have managed to avoid getting the blue screen by turning off the wi fi. So the cleaner is scanning now and then I will run the repair tool and then send you the report. All assuming the blue screen does not reappear! Stand by & keep fingers crossed!
Reply
Ambucias 35265Posts mardi 2 février 2010Registration date ModeratorStatus December 9, 2016 Last seen - Jun 7, 2016 06:22PM
Hi Bill,

I applaud your talent, I had not thought of the Wifi. Indeed since the DNS were hijacked the virus wanted to block the tool.

We will get this thing. Should I not connect with you till tomorrow morning, at least the big cleaning job will have been done and you should a have a direct web connection.

I am looking forward for those reports.

P.S. There is only one hour difference between our time zones. Here is it 1822 hrs
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 7, 2016 06:26PM
Here is the cleaner report
http://speedy.sh/PrB5D/ZHPCleaner.txt
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 7, 2016 06:39PM
http://speedy.sh/XCSUa/ZHPDiag-Second-Report.txt
I ran the diagnostic scanner and here is the report. I tried to run the repair tool, but it failed since it could not reach the DNS server!
I also still can't run my AVG anti virus or Malware bytes etc. Seems all these exe files are still not working. And I cannot get onto any website.
But at least the blue screen seems to have disappeared for now, even after I switched on the wifi.
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 7, 2016 07:21PM
Sorry just saw your last 2 messages now! I downloaded the ZHP Fix and set it up (even tho' it was all in French). But i am sorry there seems to be no clear instruction on how to clean and fix! There are 2 options - Import and Configure - but nothing that says Run! Can you please guide me on how to run it?
Thanks so much for all your assistance!
Bill
Reply
Add comment
Helpful
+0
moins plus
Hi Bill

I suggest that you wait for my instructions before you attempt any repair.

Is AVG on the ill computer ? I can't see it!

Here is what to do next:

1. Download ZHPFix here (don't if you already have it)

http://www.nicolascoolman.fr/download/zhpfix/

2. Select and copy all of the following bold lines.

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
[MD5.175A7595301DBF137164E78BC52696B4] - 04/06/2016 - (.Microsoft Corporation - DNS Client API DLL.) -- C:\WINDOWS\System32\dnsapi.dll [657920]
[MD5.B821C83022E932DBE2C0BA7AE7562A7F] - 04/06/2016 - (.Microsoft Corporation - DNS Client API DLL.) -- C:\WINDOWS\Syswow64\dnsapi.dll [498688]
O23 - Service: Object Mobile (pejykurozbt) . (...) - C:\Program Files (x86)\4C4C4544-1465092403-4210-804B-CAC04F305831\knsv164B.tmpfs (.not file.)
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mysearch.avg.com/
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
O4 - HKLM\..\Run: [WINCOMSG6] C:\Program Files (x86)\browseextension\wincom_SG6.exe (.not file.)
O4 - HKLM\..\Run: [cpuminer] C:\Users\AviandNowshir\AppData\Roaming\cpuminer\cpm.exe (.not file.)
O20 - AppInit_DLLs: . (.Client Connect LTD - Search Protect.) - C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll
O42 - Logiciel: Search Protect - (.Client Connect LTD.) [HKLM][64Bits] -- SearchProtect
HKLM\SOFTWARE\Wow6432Node\SearchProtect
3 - CFD: 07/06/2016 - [] D -- C:\Program Files (x86)\SearchProtect
3 - CFD: 07/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\app
3 - CFD: 06/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\SearchProtect
HKLM\SYSTEM\CurrentControlSet\Services\pejykurozbt
C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll
C:\Users\AviandNowshir\AppData\Local\app
C:\Users\AviandNowshir\AppData\Local\SearchProtect


3 Close all applications and open ZHP Fix
4. Click on the Import button and the lines will automatically paste themselves.
5. Click on the Go button to clean
6. Confirm by clicking OK
7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time
8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 8, 2016 09:52AM
I just have the AVG set up file. But I am still unable to set it up on the infected laptop since it's not allowing me to open any exe files.
Here is the report! I await further instructions! Thanks
Bill


Rapport de ZHPFix 2015.10.19.9 par Nicolas Coolman, Update du 19/10/2015
Fichier d'export Registre :
Run by NowshirBilimoria at 6/8/2016 9:45:26 AM
High Elevated Privileges : OK
Windows 8 Home Premium Edition, 64-bit Service Pack 1 (9600)

Recycle Bin emptied (06mn AMs)
Prefetcher emptied

========== Registry keys ==========
REMOVES: Service: pejykurozbt

========== Registry values ==========
ABSENT value Standard Profile: FirewallRaz :
ABSENT value Domain Profile: FirewallRaz :
REMOVES: FirewallRaz (Domain) : {9E3D57FC-7C37-4424-9352-4831E97D029D}
REMOVES: FirewallRaz (Domain) : {548DCF8C-BFF2-4BA4-AA88-FBAF9AC8BCC6}
REMOVES: FirewallRaz (Domain) : NetPres-In-TCP-NoScope
REMOVES: FirewallRaz (Domain) : NetPres-Out-TCP-NoScope
REMOVES: FirewallRaz (None) : NetPres-WSD-In-UDP
REMOVES: FirewallRaz (None) : NetPres-WSD-Out-UDP
REMOVES: FirewallRaz (Public) : NetPres-In-TCP
REMOVES: FirewallRaz (Public) : NetPres-Out-TCP
REMOVES: FirewallRaz (None) : MCX-Prov-Out-TCP
REMOVES: FirewallRaz (None) : MCX-McrMgr-Out-TCP
REMOVES: FirewallRaz (Domain) : {E7985E1D-C36F-4787-80A8-6350D07E9266}
REMOVES: FirewallRaz (None) : {808F1451-4108-46FD-ADBB-F17324B5F0BD}
REMOVES: FirewallRaz (Private) : {540ADE2F-374A-4BEC-992E-4A9EAC06895B}
REMOVES: FirewallRaz (Private) : {41819752-A866-45B3-8849-EC94593C2C9C}
REMOVES: FirewallRaz (Private) : {A869A6A5-9EC7-4F3B-BAC0-19F52B80CE4A}
REMOVES: FirewallRaz (Private) : {C0DD7895-3E0F-4201-9F6A-97AEE9B73EC1}
REMOVES: FirewallRaz (None) : {8425859F-FDC0-4F26-9511-FE768D82364C}
REMOVES: FirewallRaz (None) : {B0D0223B-30B7-4F63-A7D6-DDCF6DD1FBA1}
REMOVES: FirewallRaz (None) : {B97B166E-2192-4304-8A4E-5D905E7019C6}
REMOVES: FirewallRaz (None) : {72373A8D-C268-45BD-8D02-502C6DCD7677}
REMOVES RunValue: WINCOMSG6
REMOVES RunValue: cpuminer

========== Elements of the registry data ==========
REMOVES: R0 - Main,Start Page = KCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page
REMOVES: R1 Search Page = <-loopback>
REMOVES: R1 Search Page = http=127.0.0.1:8877;https=127.0.0.1:8877
REMOVES: R1 Search Page = *.local
REMOVES: R1 Search Page = 127.0.0.1:8080
REMOVES AppInit: arch Protect.) - C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll

========== Folders ==========
Deletes temporary Windows (407)
REMOVES Flash Cookies (0)

========== Files ==========
Deletes temporary Windows (6390) (1,341,708,231 octets)
REMOVES Flash Cookies (0) (0 octets)

========== Other ==========
NON-TREATY 3 - CFD: 07/06/2016 - [] D -- C:\Program Files (x86)\SearchProtect
NON-TREATY 3 - CFD: 07/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\app
NON-TREATY 3 - CFD: 06/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\SearchProtect


========== Summary ==========
1 : Registry keys
24 : Registry values
6 : Elements of the registry data
2 : Folders
2 : Files
3 : Other


End of clean in 33mn AMs

========== Path to file report ==========
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R1].txt - 6/7/2016 5:52:51 PM [579]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R2].txt - 6/8/2016 9:45:32 AM [3073]
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 8, 2016 01:11PM
I wanted to provide you an update. A lot of major issues appear to be resolved, but some others remain.

1. I no longer get the script error when I start 80070002 saying C:\WINDOWS\run.vbs.
2. I am once again able to access many web pages- no more messages saying DNS look up failed
3. No more blue screens popping up after start up!
4. I was able to start my Malwarebytes program once and it did a nice clean up. But subsequently I am unable to start it! Even after redownloading it.
5. I was unable to reach links from my emails on chrome. It would only take me to the chrome homepage but not open the link. So I uninstalled chrome.
5. I was able to download and install Firefox and Opera, and now the links in my email work fine on Firefox.
6. I downloaded Chrome afresh, but I am unable to run set up.
7. I downloaded AVG, and ran the set up file successfully, but after that was unable to run the program.
8. I opened IE once and wish I hadn't! It seemed to be filled with malware and warnings and asking me to call a 1800 nr for help! I had to force shut it. Is there anyway to uninstall IE and reload it?

So all in all big improvements, but still need your assistance to troubleshoot the remaining issues.
Thanks again for all your help!
Bill
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 8, 2016 03:43PM
In the meantime I called AVG and after they did some troubleshooting they confirmed that I still have a virus! So is there some good free virus removal software around that will remove these?
Reply
Add comment
Helpful
+0
moins plus
Bill,

You have not followed the ZHP Fix instructions properly, have clicked on "GO" to confirm the cleaning?

Run ZHP Fix again and insure you follow the procedure.

Have you, as I indicated before, ran ZHP Cleaner on the other computer? As I mentioned, since the DNS and Proxies were hacked, the other computer may also have been infected and contaminated the present computer or vice versa.

The reason you had problems with Chrome is because it was also attacked.

I also suggest that you urgently change your Wifi password.

You should have no more than one antivirus software. Antivirus software all have their own scanning engines and .dat files, they may come in conflict and create false positive reports and sometimes let malware through.

To answer your question, no, there is no antivirus software free or otherwise that will clean all of this malware. The best thing is to have one good antivirus, a good firewall and best of all, avoid taking risks on the net such as downloading torrents such as you have done. The best antivirus suites that I have used are not free, but they are worth it, they may warn you against reaching a site or downloading a file. Some malware can actually ruin an operating system or hack your data for a ransom.

Can you please upload a last ZHP Diag, I will tell you if AVG is correct.

Regards
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 8, 2016 05:51PM
Actually I followed the ZHP instructions totally! But anyway I am running it again on the infected computer.
Here is the ZHP Cleaner Report on my good PC. I will send you the Diagnostic report in a few minutes after running it.

~ ZHPCleaner v2016.6.6.72 by Nicolas Coolman (2016/06/06)
~ Run by AviandNowshir (Administrator) (08/06/2016 17:47:03)
~ Site : http://www.nicolascoolman.com
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\AviandNowshir\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 10 Home, 64-bit (Build 10586)


---\\ Services (0)
~ No malicious or unnecessary items found.


---\\ Browser internet (0)


---\\ Hosts file (1)
~ The hosts file is legitimate (21)


---\\ Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.


---\\ Explorer ( File, Folder) (19)
MOVED file: C:\Users\AviandNowshir\AppData\Roaming\Mozilla\Firefox\Profiles\du5cn6a3.default\searchplugins\yahoo.xml =>PUP.Optional.BDYahoo
MOVED file: C:\Users\AviandNowshir\Downloads\ReimageRepair.exe [Reimage® - Reimage Downloader] =>.Superfluous.ReimageRepair
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d2m2wsoho8qq12.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d2m2wsoho8qq12.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_dwq4do82y8xi7.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_dwq4do82y8xi7.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_mysearch.avg.com_0.localstorage =>PUP.Optional.MyWebSearch
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_mysearch.avg.com_0.localstorage-journal =>PUP.Optional.MyWebSearch
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage =>PUP.Optional.Generic
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal =>PUP.Optional.Generic
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_duvmkqu6ebwqz.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_duvmkqu6ebwqz.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_putlocker.is_0.localstorage =>PUP.Optional.PutLocker
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_putlocker.is_0.localstorage-journal =>PUP.Optional.PutLocker
MOVED folder: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\File System\008 =>PUP.Optional.DomaIQ


---\\ Registry ( Key, Value, Data) (8)
DELETED key: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} [https://mysearch.avg.com/search?cid={15CE60CA-F362-4A02-8A0E-50B6E97275C8}&mid=219d7441624647cc9d60b[...]] [AVG Secure Search] =>PUP.Optional.MyWebSearch
DELETED key: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} 10:05:09&v=4.3.1.831&pid=wtu&sg=&sap=dsp&q={searchTerms} =>PUP.Optional.MyWebSearch
DELETED key*: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\soundcloud.com [] =>PUP.Optional.SoundCloud
DELETED key*: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\soundcloud.com [511] =>PUP.Optional.SoundCloud
DELETED key*: [X64] HKLM\SOFTWARE\Classes\S [] =>Toolbar.Agent
DELETED key*: [X64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi [ScriptHelperApi Class] =>Toolbar.Agent
DELETED key*: [X64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1 [ScriptHelperApi Class] =>Toolbar.Agent
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} [Google Inc.] =>Heuristic.Suspect


---\\ Summary of the elements found (10)
http://www.nicolascoolman.fr/?p=4664 =>PUP.Optional.BDYahoo
http://www.nicolascoolman.fr/?p=1075 =>.Superfluous.ReimageRepair
http://www.nicolascoolman.fr/?p=5145 =>.Superfluous.CloudfrontNet
http://www.nicolascoolman.fr/?p=220 =>PUP.Optional.MyWebSearch
https://www.nicolascoolman.info/2016/05/01/definition-dun-logiciel-pup-lpi/ =>PUP.Optional.Generic
http://www.nicolascoolman.fr/?p=134 =>PUP.Optional.PutLocker
http://www.nicolascoolman.fr/?p=679 =>PUP.Optional.DomaIQ
http://www.nicolascoolman.fr/?p=4664 =>PUP.Optional.SoundCloud
http://www.nicolascoolman.fr/?p=5143 =>Toolbar.Agent
https://www.nicolascoolman.info/2016/04/22/heuristic-suspect/ =>Heuristic.Suspect


---\\ Other deletions. (13)
~ Registry Keys Tracing deleted (13)
~ Remove the old reports ZHPCleaner. (0)


---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Opera Software)


---\\ Statistics
~ Items scanned : 664
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 27


~ End of clean in 00h00mn24s
~====================
ZHPCleaner-[R]-08062016-17_47_27.txt
ZHPCleaner-[S]-08062016-17_42_29.txt
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 8, 2016 06:05PM
This is the link for the ZHP Diagnostic on the good computer

http://speedy.sh/JRSrS/ZHPDiag.txt
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 8, 2016 06:27PM
Here is the ZHP Fix report for the infected laptop
http://speedy.sh/kBrUr/ZHPFix-R3-infected-laptop.txt
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 8, 2016 06:30PM
and here is the ZHP Diagnostic for the infected laptop
http://speedy.sh/VhWeW/ZHPDiag-infected-laptop.txt
Reply
Add comment
Helpful
+0
moins plus
The good computer is clean.

The next step should be the final one.

Please run ZHPFix again with the following bold lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
3 - CFD: 0 - [0] D -- C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer
C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer
O23 - Service: Befhu (Befhu) . (...) - C:\Users\AviandNowshir\AppData\Roaming\InarCodmo\Usomideb.exe (.not file.)
O23 - Service: Windows CpuHeatMapping (CpuHeatMapping) . (...) - C:\WINDOWS\system32\CpuHeatMapping2200\CpuHeatMapping.exe (.not file.)
[MD5.00000000000000000000000000000000] [APT] [TaskName] (...) -- Task To Run (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [16811073] (...) -- C:\Program Files (x86)\quietude\observatories.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [26811073] (...) -- C:\Program Files (x86)\quietude\observatories.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [a16932095] (...) -- C:\Program Files (x86)\somoza\grooved.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1] (...) -- C:\Program Files (x86)\somoza\grooved.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [b16932095] (...) -- C:\Program Files (x86)\quietude\observatories.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1] (...) -- C:\Program Files (x86)\somoza\grooved.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [Pa5422917354229173] (...) -- C:\Program Files (x86)\engrained\cyberspace.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
O39 - APT: 16811073 - (...) -- C:\WINDOWS\System32\Tasks\16811073 [3670] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: 26811073 - (...) -- C:\WINDOWS\System32\Tasks\26811073 [3810] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: a16932095 - (...) -- C:\WINDOWS\System32\Tasks\a16932095 [4346] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 - (...) -- C:\WINDOWS\System32\Tasks\a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 [3874] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: b16932095 - (...) -- C:\WINDOWS\System32\Tasks\b16932095 [4362] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 - (...) -- C:\WINDOWS\System32\Tasks\d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 [3734] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: Pa5422917354229173 - (...) -- C:\WINDOWS\System32\Tasks\Pa5422917354229173 [3682] (.Orphan.) =>.Superfluous.Orphan
R1 - HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs = http://search.protectedio.com/ =>.Superfluous.ProtectedIO
R1 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs,Tabs = http://search.protectedio.com/ =>.Superfluous.ProtectedIO
O2 - BHO: Fevkajvirtysd Helper [64Bits] - {59247F99-02BA-4BE3-a0FD-6644871846C7} . (...) -- C:\Program Files\Fevkajvirtysd\Thgislhd.dll (.not file.)
O4 - HKLM\..\Run: [WINCOMQVV] C:\Program Files (x86)\mpck\wincom_QVV.exe (.not file.)
O4 - HKCU\..\Run: [notting] C:\Program Files (x86)\engrained\cyberspace.exe (.not file.)
O4 - HKUS\S-1-5-21-4094268032-3782436370-3926604989-1001\..\Run: [notting] C:\Program Files (x86)\engrained\cyberspace.exe (.not file.)
HKLM\SOFTWARE\Wow6432Node\MPC
HKLM\SOFTWARE\Wow6432Node\SlimWare Utilities, Inc. =>.Superfluous.SlimWareUtilities
O43 - CFD: 04/06/2016 - [] D -- C:\ProgramData\boost_interprocess
O43 - CFD: 27/05/2015 - [0] D -- C:\Users\AviandNowshir\AppData\Local\dadi
O43 - CFD: 04/06/2016 - [0] D -- C:\Users\AviandNowshir\AppData\Local\Tempfolder
O43 - CFD: 0 - [0] D -- C:\WINDOWS\System32\Config\systemprofile\AppData\Local\AutoUpdate
HKLM\SOFTWARE\Wow6432Node\SlimWare Utilities, Inc. =>.Superfluous.SlimWareUtilities


If you wish a popular and fairly good free antivirus for your lappy, I suggest:

http://ccm.net/download/download-89-avast-antivirus-2016

If you have not paid for Malwarebyte, I suggest you remove it because the free version does not offer real time protection.

Catch you later

Paste the log here when finished
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 9, 2016 10:07AM
Here is the ZHP Fix report. I will reboot and let you know the status! Keeping fingers crossed!


Rapport de ZHPFix 2015.10.19.9 par Nicolas Coolman, Update du 19/10/2015
Fichier d'export Registre :
Run by NowshirBilimoria at 6/9/2016 10:04:47 AM
High Elevated Privileges : OK
Windows 8 Home Premium Edition, 64-bit Service Pack 1 (9600)

Recycle Bin emptied (03mn AMs)
Prefetcher emptied

========== Process memory ==========
REMOVES Reboot: Memory Process: C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer

========== Registry keys ==========
REMOVES: Service: Befhu
REMOVES: Service: CpuHeatMapping
REMOVES: HKLM\SOFTWARE\Wow6432Node\MPC
REMOVES: HKLM\SOFTWARE\Wow6432Node\SlimWare Utilities, Inc.

========== Registry values ==========
ABSENT value Standard Profile: FirewallRaz :
ABSENT value Domain Profile: FirewallRaz :
REMOVES RunValue: WINCOMQVV
REMOVES RunValue: notting

========== Elements of the registry data ==========
REMOVES: R1 Search Page = *.local
REMOVES: R1 Search Page = http://127.0.0.1:8080
REMOVES: R1 Search Page = https://search.protectedio.com/?u=52f49536d778191a17125e222a2ef5c7&c=p1&src=hp&inst=1449505014

========== Folders ==========
Deletes temporary Windows (5)
REMOVES Flash Cookies (0)
REMOVES: C:\ProgramData\boost_interprocess
REMOVES: C:\Users\AviandNowshir\AppData\Local\dadi
REMOVES: C:\Users\AviandNowshir\AppData\Local\Tempfolder

========== Files ==========
Deletes temporary Windows (50) (11,886,917 octets)
REMOVES Flash Cookies (0) (0 octets)

========== Scheduled task ==========
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: 16811073
REMOVES: 26811073
REMOVES: 26811073
REMOVES: a16932095
REMOVES: a16932095
REMOVES: a16932095
REMOVES: a16932095
REMOVES: a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1
REMOVES: a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1
REMOVES: b16932095
REMOVES: b16932095
REMOVES: b16932095
REMOVES: b16932095
REMOVES: d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1
REMOVES: Pa5422917354229173

========== Other ==========
NON-TREATY 3 - CFD: 0 - [0] D -- C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer


========== Summary ==========
1 : Process memory
4 : Registry keys
4 : Registry values
3 : Elements of the registry data
5 : Folders
2 : Files
93 : Scheduled task
1 : Other


End of clean in 18mn AMs

========== Path to file report ==========
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R1].txt - 6/8/2016 5:52:51 PM [579]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R2].txt - 6/8/2016 8:45:32 AM [3161]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R3].txt - 6/8/2016 4:43:32 PM [1908]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R4].txt - 6/9/2016 10:04:51 AM [4055]
Reply
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 9, 2016 11:15AM
Ambucias!
YOU ARE A GENIUS! And an extremely helpful person. Thank you very very much for resolving this serious issue that I faced!
I ran AVG and it found no threats at all! I will download Avast once my avg trial period ends in 28 days. Should i delete all the ZHP stuff, or is it good to run that cleaner once in a while?
Everything so far seems to be running very well. The only thing that has not been resolved is IE. The moment i opened it my screen was filled with a warning about an error code with Windows Defender and then immediately a warning to immediately call the 1800 nr! All the while accompanied by alarm bells!! I had to force shut it down. Of course I don't need IE, but i assume it is still infected?
By the way I am unable to activate Windows Defender - it says it was turned off by Group Policy and I was unable to turn it on. Do you reccommend that it should be turned on? Or do you feel that I should just use Avast and no other applications?
Once again MANY MANY THANKS for your help! I truly appreciate it. By the way do you work for CCM?
Cheers
Bill
Reply
Add comment
Helpful
+0
moins plus
Hi Bill,

The registry lines I was mostly concerned about are these:

R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877

They were part of the hyjacking.

I haven't used IE for years and I don't use Windows Edge either. Firefox does the trick and I find it safer.

No, don't try to activate Windows Defender, it would be useless.

As I mentioned before, you should have only one antivirus programme or you get conflicts. Avast is always free but if you are ever looking for a paid antivirus suite, I usually recommend F-Secure, Kaspersky or McAfee and to stay away from Norton Symantec.

Yes you can delete all of the ZHP stuff including ZHP Cleaner because updates and upgrades are frequent.

CCM: I am a long time member who went up the ladder.

Helping you was all my pleasure and I won't share it anyone else ! Thank you for your patience and trust as well as your prompt responses.
billyavi 18Posts Monday June 6, 2016Registration date June 9, 2016 Last seen - Jun 9, 2016 05:40PM
Thanks once again Ambucias! You are terrific and I hope that if I ever have issues again that I will be lucky enough to get you! Have a great evening.
Reply
Add comment

Member requests are more likely to be responded to.

Members can monitor the statuses of their requests from their account pages.

A CCM membership gives you access to additional options.

Not a member yet?

Sign up now. It takes less than a minute and is completely free!