I have contracted a Virus that shows many Ads

Writer · 17 Nov 2015

I ran the Malwarebytes AM Scan (complete); it took a few minutes over 2 hours: below is the Scan Log of items detected:
There were only 16 items.
I notice that "shopperz" is on the list: this is one file that gave me a lot of trouble: it constantly plagued me.

I just clicked on Remove Detected Files. It says that they were all quarantined.

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 11/17/2015
Scan Time: 5:26 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.17.07
Rootkit Database: v2015.11.14.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x86
File System: NTFS
User: User

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 516948
Time Elapsed: 2 hr, 5 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 16
PUP.Optional.CrossBrowse, C:\AdwCleaner\Quarantine\C\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\metro_driver.dll.vir, , [93883847286359dd69abacc8e420be42],
PUP.Optional.CrossBrowse, C:\AdwCleaner\Quarantine\C\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\nacl64.exe.vir, , [7ba03847e0ab9e985abae094966e1ce4],
PUP.Optional.MindSpark, C:\AdwCleaner\Quarantine\C\Program Files\MapsGalaxy_39\bar\1.bin\T8RES.DLL.vir, , [bc5fb5ca602bc6709c5f99e1a95bd927],
PUP.Optional.Komodia.WnskRST, C:\AdwCleaner\Quarantine\C\Program Files\shopperz101120150230\Jijlofd.dll.vir, , [9f7c4d32e1aaa78fa7eb2b6bca370bf5],
PUP.Optional.Komodia.WnskRST, C:\AdwCleaner\Quarantine\C\Program Files\shopperz101120150230\Jijlofd64.dll.vir, , [1dfe3f402c5f3df9f6d71a7cf908c13f],
PUP.Optional.Komodia.WnskRST, C:\AdwCleaner\Quarantine\C\Program Files\shopperz121120151540\Gucarog.dll.vir, , [b5665b242863d462f39fe5b103fe6a96],
PUP.Optional.Komodia.WnskRST, C:\AdwCleaner\Quarantine\C\Program Files\shopperz121120151540\Gucarog64.dll.vir, , [fe1ddaa557344fe794399cfa7d84da26],
PUP.Optional.FastBrowser, C:\AdwCleaner\Quarantine\C\Program Files\speed browser\Application\shortcut.exe.vir, , [6daedca3b0db67cf894069c3f60a946c],
PUP.Optional.SwiftSearch, C:\AdwCleaner\Quarantine\C\Program Files\SwiftSearch_1.10.0.25\Uninstall.exe.vir, , [46d56817d7b46bcb4615f388669efe02],
PUP.Optional.Yontoo, C:\AdwCleaner\Quarantine\C\ProgramData\260dee10-c5d7-419f-8be9-a3d98ba1c6c6\plugins\12\resources\plugin.dll.vir, , [1a0176097f0c46f0c0f5b69bcc35d729],
PUP.Optional.PullUpdate, C:\AdwCleaner\Quarantine\C\ProgramData\TVTime\Uninstall.exe.vir, , [bd5ed0af7c0fe74f141436453dc752ae],
PUP.Optional.QuarkNetwork, C:\AdwCleaner\Quarantine\C\Users\User\AppData\Roaming\NetService\sc.exe.vir, , [74a7e897c4c7b87ed8a5920a25dc3dc3],
Trojan.FilePatch.DNSApi, C:\AdwCleaner\Quarantine\C\WINDOWS\system32\dnsapi.dll.vir, , [55c695eaf893d1658ff79a6646ba847c],
PUP.Optional.Komodia.WnskRST, C:\AdwCleaner\Quarantine\C\WINDOWS\system32\Gucarog.dll.vir, , [af6cee91f4973ef8f79be0b6ef12659b],
PUP.Optional.Komodia.WnskRST, C:\AdwCleaner\Quarantine\C\WINDOWS\system32\Jijlofd.dll.vir, , [27f43e4193f80234c3cfebab10f16d93],
PUP.Optional.CheckOffer, C:\Users\User\AppData\Local\Microsoft\Windows\INetCache\IE\RXW76L2D\VuuPC_VO2_8907[1].exe, , [ce4d2956701b86b0799d5ea250b1eb15],

Physical Sectors: 0
(No malicious items detected)

(end)

Writer · 17 Nov 2015

MWAM wanted a "Restart," so I just restarted. The same DLL Error message appeared, by the way.

simrick · 17 Nov 2015

Okay, this is a good scan. All of the items were from the quarantine using ADWCleaner, except for one:

PUP.Optional.CheckOffer, C:\Users\User\AppData\Local\Microsoft\Windows\INetCache\IE\RXW76L2D\VuuPC_VO2_8907[1].exe, , [ce4d2956701b86b0799d5ea250b1eb15],

--------------------------------------
updating the RECAP list:

DONE-Set another restore point,
DONE-Run ESET from Firefox, save the log file and paste it here, let it delete whatever it finds.
DONE-Run Malwarebytes Anti-Exploit (see post #17)

Download and install Malwarebytes Anti-Exploit
This will help protect your browsers against zero-day attacks.

DONE-Run SuperAntiSpyware ( see post #49)

DONE-Please run one last scan of Malwarebytes Antimalware - but this time you're going to do a full scan of drive C and not just a threat scan (see my instructions in previous post #75)

sfc /scannow
CryptoPrevent
Set 2 restore points: CLEAN #1 and CLEAN #2
Ccleaner: open the list of existing restore points, and we will delete all old ones, because they contain infection remnants and we don't want to have them available for a restore. We will also have a look at your startups and autoruns, and your installed programs from here.

(I may have a couple of other tools I will add to the list here, if we find they are necessary, so TBD.)

Then, I will suggest you put a couple add-ons into Firefox and adjust some settings for safety, and ONLY use Firefox to browse the web, until Edge has extension support (sometime next year).

--------------------------------------

Please now let's run SFC /SCANNOW to make sure your operating system files are intact.
When you run the tool, we are looking for the answer "No integrity violations found".
If you get something else other than that, please reboot, and run the tool again. You should run this tool at leaast 3 times, to see if we can get the answer we are looking for.

EDIT: USE OPTION #3

Here are the instructions:
SFC Command - Run in Windows 10 - Windows 10 Forums

Writer · 17 Nov 2015

I just completed the sfc/scannow process: The message read:

I used "Option 3."

"Windows Resource Protection did not find any Integrity Violations."

I accessed the Command Prompt via Start > Command Prompt (Admin)

simrick · 17 Nov 2015

Writer said:

I just completed the sfc/scannow process: The message read:

I used "Option 3."

"Windows Resource Protection did not find any Integrity Violations."

I accessed the Command Prompt via Start > Command Prompt (Admin)

Excellent news.

Next:

Let's download and run CryptoPrevent

We will use standard protection. The computer will need to be rebooted after you've applied the protection.

Please give me a few moments to post some screenshots for you.

simrick · 17 Nov 2015

Running CryptoPrevent

I have contracted a Virus that shows many Ads-foolishit01.png

Select default protection and click apply.

I have contracted a Virus that shows many Ads-foolishit02.png

Check for updates. Please wait a minute or even minute and a half for it to contact the server for updates.

I have contracted a Virus that shows many Ads-foolishit03.png

If an update is available, take it.
Please note this is the free version. It will not auto-update, so you could check that once and a while.

This is NOT a scanner. This makes group policy changes to your computer to prevent malicious code from running from within certain locations in your computer (like appdata), from which malware tend to typically execute their payload/code. It is not a "running" program. It simply makes the group policy changes and then does nothing else until you open it up to check for updates or change the settings.

I have contracted a Virus that shows many Ads-foolishit04.png

I have contracted a Virus that shows many Ads-foolishit05.png

I have contracted a Virus that shows many Ads-foolishit06.png

I have contracted a Virus that shows many Ads-foolishit07.png

I have contracted a Virus that shows many Ads-foolishit08.png

That's it.

Writer · 17 Nov 2015

The Link that you give in Post 95 brings up a Website that is very busy. It is difficult to determine where to click in order to download the software. Could you tell me what to click on there?

One possibility says: Download Locations. Below that it reads: Download at Author's site

Above this it Reads: CryptoPrevent 7.4.20

simrick · 17 Nov 2015

Writer said:

The Link that you give in Post 95 brings up a Website that is very busy. It is difficult to determine where to click in order to download the software. Could you tell me what to click on there?

One possibility says: Download Locations. Below that it reads: Download at Author's site

Above this it Reads: CryptoPrevent 7.4.20

click here
[link removed]

when you've got it let me know, so I can delete the link, in case it changes in the future, and then we have a broken link in our thread.

Writer · 17 Nov 2015

OK, I installed CryptoPrevent. After the "Restart," a message came up that read: Prevention Successfully applied.

A window came up during the process about "WhiteListing" certain segments. It said that if I wasn't sure that I should click on "No" Do not WhiteList. So I clicked on No.

simrick · 17 Nov 2015

Writer said:

OK, I installed CryptoPrevent. After the "Restart," a message came up that read: Prevention Successfully applied.

A window came up during the process about "WhiteListing" certain segments. It said that if I wasn't sure that I should click on "No" Do not WhiteList. So I clicked on No.

That's fine. Please stand by for my next post.

I have contracted a Virus that shows many Ads

For simrick

For simrick

For simrick

For simrick