Go Back   Computer Forums > General Computing > Software and Operating Systems
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 03-17-2016, 11:06 AM   #1
Baseband Member
 
Join Date: May 2012
Location: Canada
Posts: 60
Default Windows Update downloaded virus

Hello,

I recently incurred a virus from a Windows Update--that's right, a Windows Update.

I have Windows 10 and the other day it downloaded a bunch of updates and asked me to schedule a restart. I accepted the suggested time, and when that time came, it did a reboot. When it rebooted, everything seemed fine until I went to surf the internet in Chrome. I went directly to my usual website (a trusted and innocuous discussion forum, not unlike this one) and all of a sudden, new tabs started opening up, advertizements filled the browsers, warnings about being infected, etc. I quickly killed the power and booted again. This time I tried in a different browser (Firefox) and the same thing happened. Then I tried rebooting in safe mode with networking, opened IE and the same thing happened there (different website this time).

It seems like after the Windows Update, all my browsers have been hijacked, even in safe mode.

Anyway, I'd like to request some guidance with this. I'm going to try my usual method of removing viruses:

* Run rkill.
* Run MalwareBytes.
* Run Herd Protect.
* Run AdwCleaner.
* Run SuperAntiSpyware.

I always download the latest versions of these before running them.

Some assistance while I do this would be very much appreciated. Thanks.
__________________

gib88 is offline   Reply With Quote
Old 03-17-2016, 11:16 AM   #2
Site Team
 
celegorm's Avatar
 
Join Date: Sep 2006
Posts: 10,713
Send a message via AIM to celegorm
Default Re: Windows Update downloaded virus

I doubt it was windows update that gave it to you - likely just bad timing or a virus that needed restart to change settings while they were not in use. And even trusted sites can get hijacked, or contain bad adds (CNN got hit with virus downloading adds a while back) and then there's always the drive-by downloads. Set the virus installer to install on system start and boom - you're infected.

What you'll likely need to do in your browsers is reset all settings to default. I'd do it manually to ensure nothing remains like over-ridden search providers or anything like that.

Being that you have posted here I'm assuming you have access to another PC. Download ComboFix, throw it on a flash drive then run it on the infected PC. Don't mind the link below - The network I"m on now blocks bleepingcomputer.com so I had to copy the link from the google search. It should still take you to the right place.

https://www.google.com/url?sa=t&rct=...17218890,d.eWE
__________________

__________________
"as a fanboy i refuse to admit it and will pull countless things out of my butt to disprove it"

Team Thelegorm! Total Kills: 21 (i iz in uor profile, editsing your sigz)
celegorm is offline   Reply With Quote
Old 03-17-2016, 05:50 PM   #3
BSOD
 
Join Date: Feb 2016
Location: US
Posts: 963
Default Re: Windows Update downloaded virus

The virus you got was already in the system and the update woke it up.
Technician is offline   Reply With Quote
Old 03-17-2016, 11:22 PM   #4
Baseband Member
 
Join Date: May 2012
Location: Canada
Posts: 60
Default Re: Windows Update downloaded virus

Thanks both for the responses.

I ran the anti-malware programs I said I'd run in the OP and the virus seems to be gone now.

However, I think Herd Protect deleted an important dll that it wasn't supposed to. When I start Windows, I get this error message:

RAVCp164.exe - System Error

The program can't start because C:\WINDOWS\WinSxS\amd64_microsoft.windows\gdiplus_ 6595b64144ccf1df_1.1.1058620_none_db007f1392e69ef4 \gdiplus.dll is missing from your computer. Try reinstalling the program to fix this problem.

The only applications that don't seem to be working are Herd Protect and MS Paint. When I double-click on these, the mouse cursor spins for a bit then nothing happens. They don't start, in other words. Other programs may be effected in the same way, but I haven't encountered any.

In any case, I'm going to post the logs one at a time in separate posts since this site doesn't seem to allow me to post more than 20,000 characters in one post.

Please have a look at them and let me know if you still think I should run combofix.

---------- Post added at 11:20 PM ---------- Previous post was at 11:19 PM ----------

rkill:

Code:
Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/17/2016 05:07:33 PM in x64 mode.
Windows Version: Windows 10 Home 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity: 

 * HdAudAddService [Missing Service]
 * HyperVideo [Missing Service]
 * netvsc [Missing Service]
 * wfpcapture [Missing Service]

 * CompositeBus => \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys [Incorrect ImagePath]
 * NgcSvc => %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted [Incorrect ImagePath]
 * swenum => \SystemRoot\System32\drivers\swenum.sys [Incorrect ImagePath]

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * HOSTS file entries found: 

  0.0.0.1    mssplus.mcafee.com

Program finished at: 03/17/2016 05:09:25 PM
Execution time: 0 hours(s), 1 minute(s), and 52 seconds(s)


---------- Post added at 11:20 PM ---------- Previous post was at 11:20 PM ----------

MBAM Protection:

Code:
Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Starting, 
Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Started, 
Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Starting, 
Protection, 2016-03-17 5:11 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Started, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Remediation Database, 2015.9.16.1, 2016.3.10.1, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Rootkit Database, 2015.9.18.1, 2016.3.12.1, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, IP Database, 2015.9.21.2, 2016.3.17.1, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Domain Database, 2015.9.22.3, 2016.3.17.6, 
Update, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Malware Database, 2015.9.22.5, 2016.3.17.5, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Refresh, Starting, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Stopping, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Stopped, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Refresh, Success, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Starting, 
Protection, 2016-03-17 5:13 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Started, 
Detection, 2016-03-17 5:30 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, File, Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Quarantine Failed, 5, Access is denied.  , [0acfb5d3f1a8e254181342a550b17789]
Detection, 2016-03-17 5:37 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, File, Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Quarantine Failed, 5, Access is denied.  , [0acfb5d3f1a8e254181342a550b17789]
Scan, 2016-03-17 5:44 PM, SYSTEM, GIBRANSCOMPUTER, Manual, Start:2016-03-17 5:14 PM, Duration:22 min 14 sec, Threat Scan, Completed, 6 Malware Detections, 71 Non-Malware Detections, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Starting, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malware Protection, Started, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Starting, 
Protection, 2016-03-17 5:46 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Started, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, heato.info, 49750, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, heato.info, 49750, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, dynarunner.info, 49751, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, dynarunner.info, 49751, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, kamaker.info, 49752, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, kamaker.info, 49752, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, listcool.net, 49753, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 2016-03-17 5:48 PM, SYSTEM, GIBRANSCOMPUTER, Protection, Malicious Website Protection, Domain, 185.17.184.11, listcool.net, 49753, Outbound, C:\Windows\System32\svchost.exe, 

(end)


---------- Post added at 11:22 PM ---------- Previous post was at 11:20 PM ----------

MBAM Log (part 1):

Code:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2016-03-17
Scan Time: 5:14 PM
Logfile: mbam.log
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.17.05
Rootkit Database: v2016.03.12.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Gibran

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 417433
Time Elapsed: 22 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, 5840, Delete-on-Reboot, [79609eea9009ab8b3af135b2a45d1be5]
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, 5840, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6]

Modules: 0
(No malicious items detected)

Registry Keys: 13
PUP.Optional.CloudScout, HKLM\SOFTWARE\5da059a482fd494db3f252126fbc3d5b, Quarantined, [bd1c6d1bafea9c9a5d39a9989d671ee2], 
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, Quarantined, [c514ccbc0d8cd85eebad9fdb9470b64a], 
PUP.Optional.DNSUnlocker, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, Quarantined, [f4e50385782170c6da9356291be95aa6], 
PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C06E962-A7F9-4A4C-AD35-E887C3F8E706}, Quarantined, [9445b3d52e6b191dff59ddace81c1de3], 
PUP.Optional.ClousdScout.BrwsrFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DNSLOCKINGTON, Quarantined, [20b9d0b8e0b9f0464cb50f143bc806fa], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E1527582-8509-4011-B922-29E3FB548882}_is1, Quarantined, [45949eea2376ce6829892c5e7f859868], 
PUP.Optional.CloudScout, HKLM\SOFTWARE\WOW6432NODE\5da059a482fd494db3f252126fbc3d5b, Quarantined, [7762fb8d643566d0851169d864a09a66], 
PUP.Optional.DNSUnlocker, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, Quarantined, [58811573128788aee08d1c6338cce020], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E1527582-8509-4011-B922-29E3FB548882}_is1, Quarantined, [d009592fcfca92a446b1afdaa95b56aa], 
PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{ACEF5720}, Quarantined, [67728ff9dbbe00362e12a3e8bd47d32d], 
PUP.Optional.DriverRestore, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\DRIVERRESTORE, Quarantined, [20b9d7b1f3a6270fdec5048acd373ac6], 
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, Quarantined, [45941672f7a2280e4d4ae199b450ee12], 
PUP.Optional.ProductSetup, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [a5341b6dc4d5b5811c6d7ea6f0149868], 

Registry Values: 11
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[c514ccbc0d8cd85eebad9fdb9470b64a]D4%26b[c514ccbc0d8cd85eebad9fdb9470b64a]DIE%26cc[c514ccbc0d8cd85eebad9fdb9470b64a]Dca%26pa[c514ccbc0d8cd85eebad9fdb9470b64a]DWincy%26cd[c514ccbc0d8cd85eebad9fdb9470b64a]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[c514ccbc0d8cd85eebad9fdb9470b64a]D1893034082%26a[c514ccbc0d8cd85eebad9fdb9470b64a]Dwbf_freaudedtr_16_06%26os_ver[c514ccbc0d8cd85eebad9fdb9470b64a]D10.0%26os[c514ccbc0d8cd85eebad9fdb9470b64a]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[1dbcf692d9c083b322762e4cd62e926e]D4%26b[1dbcf692d9c083b322762e4cd62e926e]DIE%26cc[1dbcf692d9c083b322762e4cd62e926e]Dca%26pa[1dbcf692d9c083b322762e4cd62e926e]DWincy%26cd[1dbcf692d9c083b322762e4cd62e926e]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[1dbcf692d9c083b322762e4cd62e926e]D1893034082%26a[1dbcf692d9c083b322762e4cd62e926e]Dwbf_freaudedtr_16_06%26os_ver[1dbcf692d9c083b322762e4cd62e926e]D10.0%26os[1dbcf692d9c083b322762e4cd62e926e]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
gib88 is offline   Reply With Quote
Old 03-17-2016, 11:23 PM   #5
Baseband Member
 
Join Date: May 2012
Location: Canada
Posts: 60
Default Re: Windows Update downloaded virus

MBAM Log (part 2)

Code:
PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1C06E962-A7F9-4A4C-AD35-E887C3F8E706}|Path, \DNSLOCKINGTON, Quarantined, [9445b3d52e6b191dff59ddace81c1de3]
PUP.Optional.DNSUnlocker.EncJob, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{acef5720}|1, 1458181385, Quarantined, [67728ff9dbbe00362e12a3e8bd47d32d]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{083979f0-93d9-4da1-8457-114ff1ea3703}|NameServer, 82.163.142.7 95.211.158.134, Quarantined, [d009028683165adc3f424d347391fb05]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{2bbc5fca-b1f0-4322-900f-103f768f68cc}|NameServer, 82.163.142.7 95.211.158.134, Quarantined, [a534a5e3c1d8b48228593a4750b42ad6]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{4cd92844-59cc-4603-9a79-2ccc04e4289b}|NameServer, 82.163.142.7 95.211.158.134, Quarantined, [74652d5bd6c352e4542da1e023e142be]
PUP.Optional.DriverRestore, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\DRIVERRESTORE|FirstScanDateTime, 2016-02-09T20:18:10.6892223-07:00, Quarantined, [20b9d7b1f3a6270fdec5048acd373ac6]
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[45941672f7a2280e4d4ae199b450ee12]D4%26b[45941672f7a2280e4d4ae199b450ee12]DIE%26cc[45941672f7a2280e4d4ae199b450ee12]Dca%26pa[45941672f7a2280e4d4ae199b450ee12]DWincy%26cd[45941672f7a2280e4d4ae199b450ee12]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[45941672f7a2280e4d4ae199b450ee12]D1893034082%26a[45941672f7a2280e4d4ae199b450ee12]Dwbf_freaudedtr_16_06%26os_ver[45941672f7a2280e4d4ae199b450ee12]D10.0%26os[45941672f7a2280e4d4ae199b450ee12]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f[38a12a5eb9e0c86e890e2456e024a15f]D4%26b[38a12a5eb9e0c86e890e2456e024a15f]DIE%26cc[38a12a5eb9e0c86e890e2456e024a15f]Dca%26pa[38a12a5eb9e0c86e890e2456e024a15f]DWincy%26cd[38a12a5eb9e0c86e890e2456e024a15f]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr[38a12a5eb9e0c86e890e2456e024a15f]D1893034082%26a[38a12a5eb9e0c86e890e2456e024a15f]Dwbf_freaudedtr_16_06%26os_ver[38a12a5eb9e0c86e890e2456e024a15f]D10.0%26os[38a12a5eb9e0c86e890e2456e024a15f]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.ProductSetup, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\PRODUCTSETUP|tb, 0J1M1N0T2R2Y2X1S1M0E1R, Quarantined, [a5341b6dc4d5b5811c6d7ea6f0149868]

Registry Data: 4
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=fBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D1%26bBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]DIE%26ccBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]Dca%26paBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]DWincy%26cdBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26crBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D1893034082%26aBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]Dwbf_freaudedtr_16_06%26os_verBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]D10.0%26osBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[f7e298f03c5d42f4185b908e39cc13ed]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5
gib88 is offline   Reply With Quote
Old 03-17-2016, 11:24 PM   #6
Baseband Member
 
Join Date: May 2012
Location: Canada
Posts: 60
Default Re: Windows Update downloaded virus

MBAM Log (part 4)

Code:
PUP.Optional.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=fBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D1%26bBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]DIE%26ccBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]Dca%26paBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]DWincy%26cdBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26crBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D1893034082%26aBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]Dwbf_freaudedtr_16_06%26os_verBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]D10.0%26osBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[1cbd0088702983b379fa23fb28dd09f7]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, 82.163.142.7 95.211.158.134, Good: (8.8.8.8), Bad: (82.163.142.7 95.211.158.134),Replaced,[21b8e8a0227754e2de6d33eb46bf8977]
PUP.Optional.WinYahoo, HKU\S-1-5-21-3477161291-1190242396-1957653652-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=fBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D1%26bBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]DIE%26ccBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]Dca%26paBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]DWincy%26cdBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26crBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D1893034082%26aBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]Dwbf_freaudedtr_16_06%26os_verBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]D10.0%26osBad: (https://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_freaudedtr_16_06&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FyEtDyCyCzytD0AtDyEtBtDtBtCzytCtN0D0Tzu0StCyDtDtDtN1L2XzutAtFtCzztFtDtFyDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyC0F0CtA0E0EtCtGyEyD0FyCtGtC0D0BtCtGtCzz0EtBtGyE0B0CyByEyD0B0AyDzz0EyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEyEzz0D0EyE0DtGyC0CyCyBtGyE0AtDzztG0B0AyCtCtGtC0FyBtBtB0E0BtB0B0DtAzz2QtN0A0LzuyE%26cr%3D1893034082%26a%3Dwbf_freaudedtr_16_06%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[c0190b7dedacaf87373a4dd1b253669a]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5


---------- Post added at 11:24 PM ---------- Previous post was at 11:24 PM ----------

MBAM Log (part 5)

Code:
Folders: 8
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DriverRestore, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverRestore, Quarantined, [e7f2b9cf24750c2ad7f2b75fb64dd927], 
PUP.Optional.Amonetize, C:\ProgramData\{0f653c13-112c-0}, Quarantined, [15c4a3e59aff4ee8344bd740d52e966a], 
PUP.Optional.Amonetize, C:\ProgramData\{104b8ea3-212c-1}, Quarantined, [9a3f1d6ba5f4a4923a4549ce37ccb749], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-4c15-0, Quarantined, [8851b5d3b0e92f074c3d0b0cb053b947], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-5351-1, Quarantined, [3f9a8afefc9dae88ea9f22f50df69f61], 
PUP.Optional.Amonetize, C:\ProgramData\fba25c27-2375-0, Quarantined, [34a51d6b7425112538512bec857e5ba5], 
PUP.Optional.Amonetize, C:\ProgramData\fba25c27-4755-0, Quarantined, [5683cbbdff9ac57194f5d245966d37c9], 

Files: 39
Adware.CloudGuard, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Delete-on-Reboot, [79609eea9009ab8b3af135b2a45d1be5], 
PUP.Optional.InstallCore, C:\Users\Gibran\AppData\Roaming\New Version Available\FreeSoundRecorder.exe, Quarantined, [4d8ca3e52c6d5ed8b9ec3ab2936ee31d], 
PUP.Optional.OneSystemCare, C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe, Quarantined, [3a9f21678910e353ff560a3614f1669a], 
PUP.Optional.383Media, C:\Users\Gibran\AppData\Local\Temp\DRHelper_installFinish.exe, Quarantined, [5a7fd7b12f6ada5ca1693d7ada27dd23], 
PUP.Optional.383Media, C:\Users\Gibran\AppData\Local\Temp\DRHelper_installStart.exe, Quarantined, [b2273751f6a39a9c52b874432ad7629e], 
PUP.Optional.383Media, C:\Users\Gibran\AppData\Local\Temp\DRHelper_uninstallComplete.exe, Quarantined, [2bae295f7c1dba7c26e416a17a8738c8], 
PUP.Optional.ClousdScout.BrwsrFlsh, C:\Windows\System32\Tasks\DNSLOCKINGTON, Quarantined, [627734540693171fc837140ee122758b], 
PUP.Optional.ReMarkable, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.re-markable00.re-markable.net_0.localstorage, Quarantined, [6970c8c0fb9e68ce6aba60c6aa5a9070], 
PUP.Optional.ReMarkable, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.re-markable00.re-markable.net_0.localstorage-journal, Quarantined, [9346097fc4d53afcf72d919554b0d828], 
PUP.Optional.PastaLeads, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_nps.pastaleads.com_0.localstorage, Quarantined, [6a6fa8e09108d3630d122b18c0443ec2], 
PUP.Optional.PastaLeads, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_nps.pastaleads.com_0.localstorage-journal, Quarantined, [1ebb6b1d9cfd3402908fd56ee81ca65a], 
PUP.Optional.BestPriceNinja, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage, Quarantined, [29b0662239608ea83231106ab74dfa06], 
PUP.Optional.BestPriceNinja, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage-journal, Quarantined, [a633414753460b2b0261a3d7ab5931cf], 
PUP.Optional.eShopComp, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.eshopcomp.com_0.localstorage, Quarantined, [a336206831685adc371284fbfe06a060], 
PUP.Optional.eShopComp, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.eshopcomp.com_0.localstorage-journal, Quarantined, [e5f4b9cfc9d020160445bdc20cf8c43c], 
PUP.Optional.CrossRider, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage, Quarantined, [a039a7e1cacf8aacd0d6730f24e0ed13], 
PUP.Optional.CrossRider, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage-journal, Quarantined, [e7f2553336635bdbcbdba7dbec1835cb], 
PUP.Optional.Amonetize.Gen, C:\ProgramData\fba25c27-2375-0\BIT8A81.tmp, Quarantined, [4a8fdcac059485b1f8248ff9ee16619f], 
PUP.Optional.Amonetize.Gen, C:\ProgramData\fba25c27-4755-0\BITF1C4.tmp, Quarantined, [89503454306979bd8c905f296e96e11f], 
PUP.Optional.UTop, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_utop.it_0.localstorage, Quarantined, [c415cdbb910857dfcb8b23689470eb15], 
PUP.Optional.UTop, C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_utop.it_0.localstorage-journal, Quarantined, [a237790f4257082e8dc990fb53b16d93], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\config.ini, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\ConsoleApplication1.dll, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\DNSLOCKINGTON.cer, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\dnslockington.exe, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\Info.rtf, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\License.rtf, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\LogoBlack.ico, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\LogoGreen.ico, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\LogoYellow.ico, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\Microsoft.Win32.TaskScheduler.dll, Delete-on-Reboot, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\settings.ini, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\unins000.dat, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\unins000.exe, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.DNSUnlocker.BrwsrFlsh, C:\Program Files (x86)\DNS Unlocker\ZonaTools.XPlorerBar.dll, Quarantined, [8c4dc8c04e4bb77fb5d1776f35cd5aa6], 
PUP.Optional.Amonetize, C:\ProgramData\{0f653c13-112c-0}\BIT711C.tmp, Quarantined, [15c4a3e59aff4ee8344bd740d52e966a], 
PUP.Optional.Amonetize, C:\ProgramData\{104b8ea3-212c-1}\BIT70BD.tmp, Quarantined, [9a3f1d6ba5f4a4923a4549ce37ccb749], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-4c15-0\b2bdd870-4c15-0.d, Quarantined, [8851b5d3b0e92f074c3d0b0cb053b947], 
PUP.Optional.Amonetize, C:\ProgramData\b2bdd870-5351-1\b2bdd870-5351-1.d, Quarantined, [3f9a8afefc9dae88ea9f22f50df69f61], 

Physical Sectors: 0
(No malicious items detected)


(end)
gib88 is offline   Reply With Quote
Old 03-17-2016, 11:28 PM   #7
Baseband Member
 
Join Date: May 2012
Location: Canada
Posts: 60
Default Re: Windows Update downloaded virus

AdwCleaner:

Code:
# AdwCleaner v5.102 - Logfile created 17/03/2016 at 18:56:40
# Updated 13/03/2016 by Xplode
# Database : 2016-03-16.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : Gibran - GIBRANSCOMPUTER
# Running from : D:\anti-virus\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\OneSystemCare
[-] Folder Deleted : C:\ProgramData\acef5720

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : {58C2F33A-4A1A-051A-275C-A2FB660EAC12}

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
[-] Key Deleted : HKCU\Software\eSupport.com

***** [ Web browsers ] *****

[-] [C:\Users\Gibran\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [2600 bytes] - [17/03/2016 18:56:40]
C:\Program Files (x86)\AdwCleaner\AdwCleaner[S1].txt - [2675 bytes] - [17/03/2016 18:52:47]

########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [2786 bytes] ##########


---------- Post added at 11:28 PM ---------- Previous post was at 11:25 PM ----------

SuperAntiSpyware:

Too long to post.

Visit: http://www.shahspace.com/superantispyware.txt
gib88 is offline   Reply With Quote
Old 03-18-2016, 01:17 AM   #8
Fully Optimized
 
crazyman143's Avatar
 
Join Date: May 2004
Location: USA
Posts: 2,946
Default Re: Windows Update downloaded virus

gdiplus.dll Doesn't appear in the logs you posted. By the way, RAVCp164.exe is part of Realtek Audio Manager. If you don't use the realtek tray icon, I would suggest just disabling it in your startup items in MSconfig.

If you are concerned about missing system files, run a CMD as administrator, and use the command "sfc /scannow"

SFC will check windows system files for consistency.
crazyman143 is offline   Reply With Quote
Old 03-20-2016, 03:01 PM   #9
Baseband Member
 
Join Date: May 2012
Location: Canada
Posts: 60
Default Re: Windows Update downloaded virus

Quote:
Originally Posted by crazyman143 View Post
SFC will check windows system files for consistency.
Thanks.

Here's what sfc said:

Beginning verification phase of system scan.
Verification 55% complete.

Windows Resource Protection could not perform the requested operation.

So it got as far as 55% when it bailed, saying that windows resource protection couldn't perform some operation.
gib88 is offline   Reply With Quote
Old 03-21-2016, 09:29 PM   #10
Fully Optimized
 
Draygoes's Avatar
 
Join Date: Nov 2014
Location: United States
Posts: 1,653
Default Re: Windows Update downloaded virus

I see no malware. It appears to be a problem with the update itself. Keep updating, and see if MS fixes their own mestakes. (Yes, I did look over all of your uploaded log files.)
__________________

__________________
Will have a youtube channel up soon. Link will be here if I remember.
Draygoes is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 04:34 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0