Previous Topic Next Topic

Unable to run Appplications

Solved/Closed
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016 - Jun 6, 2016 at 07:08 PM
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016 - Jun 9, 2016 at 05:40 PM
I think I have been infected by a virus!
1. On start up I get a script error 80070002 saying C:\WINDOWS\run.vbs.
2. I am unable to access many web pages- I get messages saying DNS look up failed
3. I am unable to run the malware applications that I downloaded via my other network PC and transferred onto the infected one. It just doesn't allow me to go through the set up!
I have Windows 8.1.
Can you please help with step by step instructions?
Many thanks!
Bill

6 responses

Answer 1 / 6
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173
Jun 7, 2016 at 06:18 AM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

https://authentification.site

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from Speedyshare and paste it here in your reply.
Ambucias
Moderator and Virus/Security Contributor
1
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 7, 2016 at 02:25 PM
Thanks for trying to help. I had to download the ZHPdiag on another computer which is on the same network as the infected one and then move it across. (Because I cant seem to open any web pages)
Here is the link to the txt document. Pls let me know what i should do next
http://speedy.sh/cYCFT/ZHPDiag.txt
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173 > billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 7, 2016 at 04:35 PM
Thank you, stand by for the medicinal compound.
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016 > Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023
Jun 7, 2016 at 04:53 PM
Thank you!!
0
Answer 2 / 6
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173
Jun 7, 2016 at 05:13 PM
Hello,

Should I call you Bill? No wonder you are having problems! Thank you for this interesting case.

You are correct, you DNS Host has been hijacked ! In conjunction with the hijacking is a Heuristic Trojan Horse (graftor), a proxy hijacker and to top it all off heuristic install core, not to mention the adware and spyware.

I can see any active antivirus programme !!!

Since your computer is on a network with another computer, I will ask that you run the following tool on both computers as malware can sometimes cross over.

The following tool (ZHPCleaner) will do most of the rough job and should remove the hijackers. The tool is safe for all of your data.

1. Download it and run it on both computers

https://nicolascoolman.eu

2. Post the Cleaner"s report on this thread and then upload a new ZHP Diag report on Speedyshare.

3. Once I have analyzed your reports and shall be able to instruct you to clean the rest of dirt and make make your computer safer.

As they used to say in the army, ruts a ruck!
1
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 7, 2016 at 05:39 PM
Well the virus or whatever seems to be spreading!
I did manage to transfer the ZHP Cleaner onto the infected laptop. But shortly after a "Blue Screen" popped up with all kinds of warnings and urging me to call a 18888102411 which they claim is Windows Support! I doubt it!
When I reboot I don't have sufficient time to start the cleaner, before the blue screen pops up again!
I took a picture of the blue screen but I can't send it across to you.
Now I can't use the laptop at all - for anything!
Hope you have some good ideas!
Bill
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173 > billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 7, 2016 at 05:53 PM
Bill

The virus seems to be self protective.

No it is not a MS support number, they want your cash!

Your choice:

1. You download a tool called ZHP Fix and manually transfer it to the ill computer which will delete the infected files or

2. I give a list of the infected files you search for them and you delete them manually, there are 82 of them.

P.S. I must log out in 30 minutes and will return in 11 hours, but if you hurry...
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016 > billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 7, 2016 at 06:06 PM
After several tries I have managed to avoid getting the blue screen by turning off the wi fi. So the cleaner is scanning now and then I will run the repair tool and then send you the report. All assuming the blue screen does not reappear! Stand by & keep fingers crossed!
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173 > billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 7, 2016 at 06:22 PM
Hi Bill,

I applaud your talent, I had not thought of the Wifi. Indeed since the DNS were hijacked the virus wanted to block the tool.

We will get this thing. Should I not connect with you till tomorrow morning, at least the big cleaning job will have been done and you should a have a direct web connection.

I am looking forward for those reports.

P.S. There is only one hour difference between our time zones. Here is it 1822 hrs
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 7, 2016 at 06:26 PM
Here is the cleaner report
http://speedy.sh/PrB5D/ZHPCleaner.txt
0
Answer 3 / 6
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173
Jun 8, 2016 at 05:54 AM
Hi Bill

I suggest that you wait for my instructions before you attempt any repair.

Is AVG on the ill computer ? I can't see it!

Here is what to do next:

1. Download ZHPFix here (don't if you already have it)

https://nicolascoolman.eu

2. Select and copy all of the following bold lines.

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
[MD5.175A7595301DBF137164E78BC52696B4] - 04/06/2016 - (.Microsoft Corporation - DNS Client API DLL.) -- C:\WINDOWS\System32\dnsapi.dll [657920]
[MD5.B821C83022E932DBE2C0BA7AE7562A7F] - 04/06/2016 - (.Microsoft Corporation - DNS Client API DLL.) -- C:\WINDOWS\Syswow64\dnsapi.dll [498688]
O23 - Service: Object Mobile (pejykurozbt) . (...) - C:\Program Files (x86)\4C4C4544-1465092403-4210-804B-CAC04F305831\knsv164B.tmpfs (.not file.)
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://mysearch.avg.com/
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
O4 - HKLM\..\Run: [WINCOMSG6] C:\Program Files (x86)\browseextension\wincom_SG6.exe (.not file.)
O4 - HKLM\..\Run: [cpuminer] C:\Users\AviandNowshir\AppData\Roaming\cpuminer\cpm.exe (.not file.)
O20 - AppInit_DLLs: . (.Client Connect LTD - Search Protect.) - C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll
O42 - Logiciel: Search Protect - (.Client Connect LTD.) [HKLM][64Bits] -- SearchProtect
HKLM\SOFTWARE\Wow6432Node\SearchProtect
3 - CFD: 07/06/2016 - [] D -- C:\Program Files (x86)\SearchProtect
3 - CFD: 07/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\app
3 - CFD: 06/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\SearchProtect
HKLM\SYSTEM\CurrentControlSet\Services\pejykurozbt
C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll
C:\Users\AviandNowshir\AppData\Local\app
C:\Users\AviandNowshir\AppData\Local\SearchProtect


3 Close all applications and open ZHP Fix
4. Click on the Import button and the lines will automatically paste themselves.
5. Click on the Go button to clean
6. Confirm by clicking OK
7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time
8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.
1
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 8, 2016 at 09:52 AM
I just have the AVG set up file. But I am still unable to set it up on the infected laptop since it's not allowing me to open any exe files.
Here is the report! I await further instructions! Thanks
Bill


Rapport de ZHPFix 2015.10.19.9 par Nicolas Coolman, Update du 19/10/2015
Fichier d'export Registre :
Run by NowshirBilimoria at 6/8/2016 9:45:26 AM
High Elevated Privileges : OK
Windows 8 Home Premium Edition, 64-bit Service Pack 1 (9600)

Recycle Bin emptied (06mn AMs)
Prefetcher emptied

========== Registry keys ==========
REMOVES: Service: pejykurozbt

========== Registry values ==========
ABSENT value Standard Profile: FirewallRaz :
ABSENT value Domain Profile: FirewallRaz :
REMOVES: FirewallRaz (Domain) : {9E3D57FC-7C37-4424-9352-4831E97D029D}
REMOVES: FirewallRaz (Domain) : {548DCF8C-BFF2-4BA4-AA88-FBAF9AC8BCC6}
REMOVES: FirewallRaz (Domain) : NetPres-In-TCP-NoScope
REMOVES: FirewallRaz (Domain) : NetPres-Out-TCP-NoScope
REMOVES: FirewallRaz (None) : NetPres-WSD-In-UDP
REMOVES: FirewallRaz (None) : NetPres-WSD-Out-UDP
REMOVES: FirewallRaz (Public) : NetPres-In-TCP
REMOVES: FirewallRaz (Public) : NetPres-Out-TCP
REMOVES: FirewallRaz (None) : MCX-Prov-Out-TCP
REMOVES: FirewallRaz (None) : MCX-McrMgr-Out-TCP
REMOVES: FirewallRaz (Domain) : {E7985E1D-C36F-4787-80A8-6350D07E9266}
REMOVES: FirewallRaz (None) : {808F1451-4108-46FD-ADBB-F17324B5F0BD}
REMOVES: FirewallRaz (Private) : {540ADE2F-374A-4BEC-992E-4A9EAC06895B}
REMOVES: FirewallRaz (Private) : {41819752-A866-45B3-8849-EC94593C2C9C}
REMOVES: FirewallRaz (Private) : {A869A6A5-9EC7-4F3B-BAC0-19F52B80CE4A}
REMOVES: FirewallRaz (Private) : {C0DD7895-3E0F-4201-9F6A-97AEE9B73EC1}
REMOVES: FirewallRaz (None) : {8425859F-FDC0-4F26-9511-FE768D82364C}
REMOVES: FirewallRaz (None) : {B0D0223B-30B7-4F63-A7D6-DDCF6DD1FBA1}
REMOVES: FirewallRaz (None) : {B97B166E-2192-4304-8A4E-5D905E7019C6}
REMOVES: FirewallRaz (None) : {72373A8D-C268-45BD-8D02-502C6DCD7677}
REMOVES RunValue: WINCOMSG6
REMOVES RunValue: cpuminer

========== Elements of the registry data ==========
REMOVES: R0 - Main,Start Page = KCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page
REMOVES: R1 Search Page = <-loopback>
REMOVES: R1 Search Page = http=127.0.0.1:8877;https=127.0.0.1:8877
REMOVES: R1 Search Page = *.local
REMOVES: R1 Search Page = 127.0.0.1:8080
REMOVES AppInit: arch Protect.) - C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll

========== Folders ==========
Deletes temporary Windows (407)
REMOVES Flash Cookies (0)

========== Files ==========
Deletes temporary Windows (6390) (1,341,708,231 octets)
REMOVES Flash Cookies (0) (0 octets)

========== Other ==========
NON-TREATY 3 - CFD: 07/06/2016 - [] D -- C:\Program Files (x86)\SearchProtect
NON-TREATY 3 - CFD: 07/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\app
NON-TREATY 3 - CFD: 06/06/2016 - [] D -- C:\Users\AviandNowshir\AppData\Local\SearchProtect


========== Summary ==========
1 : Registry keys
24 : Registry values
6 : Elements of the registry data
2 : Folders
2 : Files
3 : Other


End of clean in 33mn AMs

========== Path to file report ==========
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R1].txt - 6/7/2016 5:52:51 PM [579]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R2].txt - 6/8/2016 9:45:32 AM [3073]
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 8, 2016 at 01:11 PM
I wanted to provide you an update. A lot of major issues appear to be resolved, but some others remain.

1. I no longer get the script error when I start 80070002 saying C:\WINDOWS\run.vbs.
2. I am once again able to access many web pages- no more messages saying DNS look up failed
3. No more blue screens popping up after start up!
4. I was able to start my Malwarebytes program once and it did a nice clean up. But subsequently I am unable to start it! Even after redownloading it.
5. I was unable to reach links from my emails on chrome. It would only take me to the chrome homepage but not open the link. So I uninstalled chrome.
5. I was able to download and install Firefox and Opera, and now the links in my email work fine on Firefox.
6. I downloaded Chrome afresh, but I am unable to run set up.
7. I downloaded AVG, and ran the set up file successfully, but after that was unable to run the program.
8. I opened IE once and wish I hadn't! It seemed to be filled with malware and warnings and asking me to call a 1800 nr for help! I had to force shut it. Is there anyway to uninstall IE and reload it?

So all in all big improvements, but still need your assistance to troubleshoot the remaining issues.
Thanks again for all your help!
Bill
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 8, 2016 at 03:43 PM
In the meantime I called AVG and after they did some troubleshooting they confirmed that I still have a virus! So is there some good free virus removal software around that will remove these?
0
Answer 4 / 6
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173
Jun 8, 2016 at 04:49 PM
Bill,

You have not followed the ZHP Fix instructions properly, have clicked on "GO" to confirm the cleaning?

Run ZHP Fix again and insure you follow the procedure.

Have you, as I indicated before, ran ZHP Cleaner on the other computer? As I mentioned, since the DNS and Proxies were hacked, the other computer may also have been infected and contaminated the present computer or vice versa.

The reason you had problems with Chrome is because it was also attacked.

I also suggest that you urgently change your Wifi password.

You should have no more than one antivirus software. Antivirus software all have their own scanning engines and .dat files, they may come in conflict and create false positive reports and sometimes let malware through.

To answer your question, no, there is no antivirus software free or otherwise that will clean all of this malware. The best thing is to have one good antivirus, a good firewall and best of all, avoid taking risks on the net such as downloading torrents such as you have done. The best antivirus suites that I have used are not free, but they are worth it, they may warn you against reaching a site or downloading a file. Some malware can actually ruin an operating system or hack your data for a ransom.

Can you please upload a last ZHP Diag, I will tell you if AVG is correct.

Regards
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 8, 2016 at 05:51 PM
Actually I followed the ZHP instructions totally! But anyway I am running it again on the infected computer.
Here is the ZHP Cleaner Report on my good PC. I will send you the Diagnostic report in a few minutes after running it.

~ ZHPCleaner v2016.6.6.72 by Nicolas Coolman (2016/06/06)
~ Run by AviandNowshir (Administrator) (08/06/2016 17:47:03)
~ Site : https://nicolascoolman.eu
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\AviandNowshir\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 10 Home, 64-bit (Build 10586)


---\\ Services (0)
~ No malicious or unnecessary items found.


---\\ Browser internet (0)


---\\ Hosts file (1)
~ The hosts file is legitimate (21)


---\\ Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.


---\\ Explorer ( File, Folder) (19)
MOVED file: C:\Users\AviandNowshir\AppData\Roaming\Mozilla\Firefox\Profiles\du5cn6a3.default\searchplugins\yahoo.xml =>PUP.Optional.BDYahoo
MOVED file: C:\Users\AviandNowshir\Downloads\ReimageRepair.exe [Reimage® - Reimage Downloader] =>.Superfluous.ReimageRepair
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d2m2wsoho8qq12.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d2m2wsoho8qq12.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_dwq4do82y8xi7.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_dwq4do82y8xi7.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_mysearch.avg.com_0.localstorage =>PUP.Optional.MyWebSearch
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_mysearch.avg.com_0.localstorage-journal =>PUP.Optional.MyWebSearch
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage =>PUP.Optional.Generic
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal =>PUP.Optional.Generic
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_duvmkqu6ebwqz.cloudfront.net_0.localstorage =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_duvmkqu6ebwqz.cloudfront.net_0.localstorage-journal =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_putlocker.is_0.localstorage =>PUP.Optional.PutLocker
MOVED file: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_putlocker.is_0.localstorage-journal =>PUP.Optional.PutLocker
MOVED folder: C:\Users\AviandNowshir\AppData\Local\Google\Chrome\User Data\Default\File System\008 =>PUP.Optional.DomaIQ


---\\ Registry ( Key, Value, Data) (8)
DELETED key: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} [https://fr.search.yahoo.com/yhs/search?hspart=avg&hsimp=yhs-fh_lsonsw&type=ch.74.ot._._.fr.avg._._¶m2=unknown¶m3=ch.74.ot._._.fr.avg._._&p={15CE60CA-F362-4A02-8A0E-50B6E97275C8}&mid=219d7441624647cc9d60b[...]] [AVG Secure Search] =>PUP.Optional.MyWebSearch
DELETED key: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} 10:05:09&v=4.3.1.831&pid=wtu&sg=&sap=dsp&q={searchTerms} =>PUP.Optional.MyWebSearch
DELETED key*: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\soundcloud.com [] =>PUP.Optional.SoundCloud
DELETED key*: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\soundcloud.com [511] =>PUP.Optional.SoundCloud
DELETED key*: [X64] HKLM\SOFTWARE\Classes\S [] =>Toolbar.Agent
DELETED key*: [X64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi [ScriptHelperApi Class] =>Toolbar.Agent
DELETED key*: [X64] HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1 [ScriptHelperApi Class] =>Toolbar.Agent
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} [Google Inc.] =>Heuristic.Suspect


---\\ Summary of the elements found (10)
https://www.sosvirus.net/telecharger/zhpcleaner/ =>PUP.Optional.BDYahoo
https://nicolascoolman.eu =>.Superfluous.ReimageRepair
https://nicolascoolman.eu =>.Superfluous.CloudfrontNet
https://nicolascoolman.eu =>PUP.Optional.MyWebSearch
https://www.nicolascoolman.info/2016/05/01/definition-dun-logiciel-pup-lpi/ =>PUP.Optional.Generic
https://nicolascoolman.eu =>PUP.Optional.PutLocker
https://nicolascoolman.eu =>PUP.Optional.DomaIQ
https://www.sosvirus.net/telecharger/zhpcleaner/ =>PUP.Optional.SoundCloud
https://nicolascoolman.eu =>Toolbar.Agent
https://www.nicolascoolman.info/2016/04/22/heuristic-suspect/ =>Heuristic.Suspect


---\\ Other deletions. (13)
~ Registry Keys Tracing deleted (13)
~ Remove the old reports ZHPCleaner. (0)


---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Opera Software)


---\\ Statistics
~ Items scanned : 664
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 27


~ End of clean in 00h00mn24s
~====================
ZHPCleaner-[R]-08062016-17_47_27.txt
ZHPCleaner-[S]-08062016-17_42_29.txt
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 8, 2016 at 06:05 PM
This is the link for the ZHP Diagnostic on the good computer

http://speedy.sh/JRSrS/ZHPDiag.txt
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 8, 2016 at 06:27 PM
Here is the ZHP Fix report for the infected laptop
http://speedy.sh/kBrUr/ZHPFix-R3-infected-laptop.txt
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 8, 2016 at 06:30 PM
and here is the ZHP Diagnostic for the infected laptop
http://speedy.sh/VhWeW/ZHPDiag-infected-laptop.txt
0

Didn't find the answer you are looking for?

Ask a question
Answer 5 / 6
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173
Jun 9, 2016 at 06:04 AM
The good computer is clean.

The next step should be the final one.

Please run ZHPFix again with the following bold lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
3 - CFD: 0 - [0] D -- C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer
C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer
O23 - Service: Befhu (Befhu) . (...) - C:\Users\AviandNowshir\AppData\Roaming\InarCodmo\Usomideb.exe (.not file.)
O23 - Service: Windows CpuHeatMapping (CpuHeatMapping) . (...) - C:\WINDOWS\system32\CpuHeatMapping2200\CpuHeatMapping.exe (.not file.)
[MD5.00000000000000000000000000000000] [APT] [TaskName] (...) -- Task To Run (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [16811073] (...) -- C:\Program Files (x86)\quietude\observatories.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [26811073] (...) -- C:\Program Files (x86)\quietude\observatories.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [a16932095] (...) -- C:\Program Files (x86)\somoza\grooved.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1] (...) -- C:\Program Files (x86)\somoza\grooved.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [b16932095] (...) -- C:\Program Files (x86)\quietude\observatories.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1] (...) -- C:\Program Files (x86)\somoza\grooved.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
[MD5.00000000000000000000000000000000] [APT] [Pa5422917354229173] (...) -- C:\Program Files (x86)\engrained\cyberspace.exe (.not file.) [0] (.Activate.) =>.Superfluous.Empty
O39 - APT: 16811073 - (...) -- C:\WINDOWS\System32\Tasks\16811073 [3670] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: 26811073 - (...) -- C:\WINDOWS\System32\Tasks\26811073 [3810] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: a16932095 - (...) -- C:\WINDOWS\System32\Tasks\a16932095 [4346] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 - (...) -- C:\WINDOWS\System32\Tasks\a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 [3874] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: b16932095 - (...) -- C:\WINDOWS\System32\Tasks\b16932095 [4362] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 - (...) -- C:\WINDOWS\System32\Tasks\d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1 [3734] (.Orphan.) =>.Superfluous.Orphan
O39 - APT: Pa5422917354229173 - (...) -- C:\WINDOWS\System32\Tasks\Pa5422917354229173 [3682] (.Orphan.) =>.Superfluous.Orphan
R1 - HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs = http://ww1.protectedio.com =>.Superfluous.ProtectedIO
R1 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs,Tabs = http://ww1.protectedio.com =>.Superfluous.ProtectedIO
O2 - BHO: Fevkajvirtysd Helper [64Bits] - {59247F99-02BA-4BE3-a0FD-6644871846C7} . (...) -- C:\Program Files\Fevkajvirtysd\Thgislhd.dll (.not file.)
O4 - HKLM\..\Run: [WINCOMQVV] C:\Program Files (x86)\mpck\wincom_QVV.exe (.not file.)
O4 - HKCU\..\Run: [notting] C:\Program Files (x86)\engrained\cyberspace.exe (.not file.)
O4 - HKUS\S-1-5-21-4094268032-3782436370-3926604989-1001\..\Run: [notting] C:\Program Files (x86)\engrained\cyberspace.exe (.not file.)
HKLM\SOFTWARE\Wow6432Node\MPC
HKLM\SOFTWARE\Wow6432Node\SlimWare Utilities, Inc. =>.Superfluous.SlimWareUtilities
O43 - CFD: 04/06/2016 - [] D -- C:\ProgramData\boost_interprocess
O43 - CFD: 27/05/2015 - [0] D -- C:\Users\AviandNowshir\AppData\Local\dadi
O43 - CFD: 04/06/2016 - [0] D -- C:\Users\AviandNowshir\AppData\Local\Tempfolder
O43 - CFD: 0 - [0] D -- C:\WINDOWS\System32\Config\systemprofile\AppData\Local\AutoUpdate
HKLM\SOFTWARE\Wow6432Node\SlimWare Utilities, Inc. =>.Superfluous.SlimWareUtilities

If you wish a popular and fairly good free antivirus for your lappy, I suggest:

https://ccm.net/downloads/security-and-maintenance/4611-avast-free-antivirus-for-pc/

If you have not paid for Malwarebyte, I suggest you remove it because the free version does not offer real time protection.

Catch you later

Paste the log here when finished
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 9, 2016 at 10:07 AM
Here is the ZHP Fix report. I will reboot and let you know the status! Keeping fingers crossed!


Rapport de ZHPFix 2015.10.19.9 par Nicolas Coolman, Update du 19/10/2015
Fichier d'export Registre :
Run by NowshirBilimoria at 6/9/2016 10:04:47 AM
High Elevated Privileges : OK
Windows 8 Home Premium Edition, 64-bit Service Pack 1 (9600)

Recycle Bin emptied (03mn AMs)
Prefetcher emptied

========== Process memory ==========
REMOVES Reboot: Memory Process: C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer

========== Registry keys ==========
REMOVES: Service: Befhu
REMOVES: Service: CpuHeatMapping
REMOVES: HKLM\SOFTWARE\Wow6432Node\MPC
REMOVES: HKLM\SOFTWARE\Wow6432Node\SlimWare Utilities, Inc.

========== Registry values ==========
ABSENT value Standard Profile: FirewallRaz :
ABSENT value Domain Profile: FirewallRaz :
REMOVES RunValue: WINCOMQVV
REMOVES RunValue: notting

========== Elements of the registry data ==========
REMOVES: R1 Search Page = *.local
REMOVES: R1 Search Page = http://127.0.0.1:8080
REMOVES: R1 Search Page = https://search.protectedio.com/?u=52f49536d778191a17125e222a2ef5c7&c=p1&src=hp&inst=1449505014

========== Folders ==========
Deletes temporary Windows (5)
REMOVES Flash Cookies (0)
REMOVES: C:\ProgramData\boost_interprocess
REMOVES: C:\Users\AviandNowshir\AppData\Local\dadi
REMOVES: C:\Users\AviandNowshir\AppData\Local\Tempfolder

========== Files ==========
Deletes temporary Windows (50) (11,886,917 octets)
REMOVES Flash Cookies (0) (0 octets)

========== Scheduled task ==========
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: TaskName
REMOVES: 16811073
REMOVES: 26811073
REMOVES: 26811073
REMOVES: a16932095
REMOVES: a16932095
REMOVES: a16932095
REMOVES: a16932095
REMOVES: a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1
REMOVES: a21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1
REMOVES: b16932095
REMOVES: b16932095
REMOVES: b16932095
REMOVES: b16932095
REMOVES: d21Afg0MBVlgmyCdfZzMC-ni-2016-06-04-ni-17657-ni-1
REMOVES: Pa5422917354229173

========== Other ==========
NON-TREATY 3 - CFD: 0 - [0] D -- C:\WINDOWS\System32\Config\systemprofile\AppData\Local\BugFixxer


========== Summary ==========
1 : Process memory
4 : Registry keys
4 : Registry values
3 : Elements of the registry data
5 : Folders
2 : Files
93 : Scheduled task
1 : Other


End of clean in 18mn AMs

========== Path to file report ==========
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R1].txt - 6/8/2016 5:52:51 PM [579]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R2].txt - 6/8/2016 8:45:32 AM [3161]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R3].txt - 6/8/2016 4:43:32 PM [1908]
C:\Users\AviandNowshir\AppData\Roaming\ZHP\ZHPFix[R4].txt - 6/9/2016 10:04:51 AM [4055]
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 9, 2016 at 11:15 AM
Ambucias!
YOU ARE A GENIUS! And an extremely helpful person. Thank you very very much for resolving this serious issue that I faced!
I ran AVG and it found no threats at all! I will download Avast once my avg trial period ends in 28 days. Should i delete all the ZHP stuff, or is it good to run that cleaner once in a while?
Everything so far seems to be running very well. The only thing that has not been resolved is IE. The moment i opened it my screen was filled with a warning about an error code with Windows Defender and then immediately a warning to immediately call the 1800 nr! All the while accompanied by alarm bells!! I had to force shut it down. Of course I don't need IE, but i assume it is still infected?
By the way I am unable to activate Windows Defender - it says it was turned off by Group Policy and I was unable to turn it on. Do you reccommend that it should be turned on? Or do you feel that I should just use Avast and no other applications?
Once again MANY MANY THANKS for your help! I truly appreciate it. By the way do you work for CCM?
Cheers
Bill
0
Answer 6 / 6
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,173
Jun 9, 2016 at 05:01 PM
Hi Bill,

The registry lines I was mostly concerned about are these:

R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R5 - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877

They were part of the hyjacking.

I haven't used IE for years and I don't use Windows Edge either. Firefox does the trick and I find it safer.

No, don't try to activate Windows Defender, it would be useless.

As I mentioned before, you should have only one antivirus programme or you get conflicts. Avast is always free but if you are ever looking for a paid antivirus suite, I usually recommend F-Secure, Kaspersky or McAfee and to stay away from Norton Symantec.

Yes you can delete all of the ZHP stuff including ZHP Cleaner because updates and upgrades are frequent.

CCM: I am a long time member who went up the ladder.

Helping you was all my pleasure and I won't share it anyone else ! Thank you for your patience and trust as well as your prompt responses.
0
billyavi Posts 18 Registration date Monday June 6, 2016 Status Member Last seen June 9, 2016
Jun 9, 2016 at 05:40 PM
Thanks once again Ambucias! You are terrific and I hope that if I ever have issues again that I will be lucky enough to get you! Have a great evening.
0

Similar discussions

i cant log in to tik tok
Dzikli -
emoreekid -

48 responses
Can't join WhatsApp group chat
Matt92 -
vocalkeny -

25 responses
Error unable to complete request
Kinoz71 -
901dad -

46 responses
Unable to determine volume. CHKDSK aborted
loudan -
R2D2_WD -

2 responses
Counter Strike unable to load authentication libra
0250 -
bilstein -

16 responses