Solved Possible Malware drive by download

[europhile]

Even after resetting Chrome & re installing too the problem has not been solved.
Everytime I try to browse with Chrome
- Kaspersky is blocking this rogue script from downloading https://onlinekey.biz/1f9f5ee62aefca3cb1.js
- Also I find sometimes the webcam is being activated
- Also KIS sometimes says it cannot guarantee the authenticity of the connections
Here are the logs from KIS
20.02.2019 22.09.00 Detected object (file) cannot be disinfected https://onlinekey.biz/1f9f5ee62aefca3cb1.js File: https://onlinekey.biz/1f9f5ee62aefca3cb1.js Object name: not-a-virus:HEUR:AdWare.Script.Generic Object type: Adware Time: 20-02-2019 22:09
19.02.2019 22.16.46 Detected object (file) cannot be disinfected https://lifebounce.net/1f9f5ee62aefca3cb1.js File: https://lifebounce.net/1f9f5ee62aefca3cb1.js Object name: not-a-virus:HEUR:AdWare.Script.Generic Object type: Adware Time: 19-02-2019 22:16
18.02.2019 23.14.12 Detected object (file) cannot be disinfected http://lifebounce.net/1f9f5ee62aefca3cb1.js File: http://lifebounce.net/1f9f5ee62aefca3cb1.js Object name: not-a-virus:HEUR:AdWare.Script.Generic Object type: Adware Time: 18-02-2019 23:14

 

[europhile]

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.02.2019 01
Ran by Karl Fernandes (28-02-2019 20:52:32) Run:1
Running from C:\Users\Karl Fernandes\Desktop
Loaded Profiles: Karl Fernandes (Available Profiles: Karl Fernandes)
Boot Mode: Normal
==============================================

fixlist content:
*****************
GroupPolicy: Restriction ? <==== ATTENTION
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
S3 klvssbridge64_18.0.0; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 18.0.0\x64\vssbridge64.exe" [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
CustomCLSID: HKU\S-1-5-21-1235497104-709031345-4186220094-1001_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B}\InprocServer32 -> {18017515-9468-D082-43E5-70E985889A47} => No File
CustomCLSID: HKU\S-1-5-21-1235497104-709031345-4186220094-1001_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850}\InprocServer32 -> {579CDE80-9468-D082-D64E-EDA685889A47} => No File
ContextMenuHandlers1: [Incinerator] -> {E8215BEA-3290-4C73-964B-75502B9B41B2} => -> No File
ContextMenuHandlers4: [Incinerator] -> {E8215BEA-3290-4C73-964B-75502B9B41B2} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File

 

[Broni]

Last scans...

Download Security Check from here or here and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center
• Windows Update
• Windows Defender
• Other Services

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

Download Sophos Free Virus Removal Tool and save it to your desktop.

• Double click the icon and select Run
• Click Next
• Select I accept the terms in this license agreement, then click Next twice
• Click Install
• Click Finish to launch the program
• Once the virus database has been updated click Start Scanning
• If any threats are found click Details, then View log file... (bottom left hand corner)
• Copy and paste the results in your reply
• Close the Notepad document, close the Threat Details screen, then click Start cleanup
• Click Exit to close the program

 

[europhile]

C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp => removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf => removed successfully
HKLM\System\CurrentControlSet\Services\klvssbridge64_18.0.0 => removed successfully
klvssbridge64_18.0.0 => service removed successfully
HKLM\System\CurrentControlSet\Services\ZAM => removed successfully
ZAM => service removed successfully
HKU\S-1-5-21-1235497104-709031345-4186220094-1001_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B} => removed successfully

 

[europhile]

I am having difficulty posting here -
Your content can not be submitted. This is likely because your content is spam-like or contains inappropriate elements. Please change your content or try again later. If you still have problems, please contact an administrator.

 

[europhile]

C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp => removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf => removed successfully
HKLM\System\CurrentControlSet\Services\klvssbridge64_18.0.0 => removed successfully
klvssbridge64_18.0.0 => service removed successfully
HKLM\System\CurrentControlSet\Services\ZAM => removed successfully
ZAM => service removed successfully
HKU\S-1-5-21-1235497104-709031345-4186220094-1001_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B} => removed successfully
HKU\S-1-5-21-1235497104-709031345-4186220094-1001_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850} => removed successfully

 

[Broni]

Attach the file and then continue with my previous reply.

 

[europhile]

Results of screen317's Security Check version 1.014 --- 12/23/15
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Defender
Kaspersky Internet Security
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
Google Chrome (72.0.3626.119)
Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamtray.exe
Windows Defender MSASCuiL.exe
Kaspersky Lab Kaspersky Secure Connection 2.0 ksde.exe
Kaspersky Lab Kaspersky Secure Connection 2.0 ksdeui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````

 

[europhile]

Farbar Service Scanner Version: 27-01-2016
Ran by Karl Fernandes (administrator) on 01-03-2019 at 22:45:14
Running from "C:\Users\Karl Fernandes\Desktop"
Microsoft Windows 10 Pro (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv: "%systemroot%\system32\svchost.exe -k netsvcs -p".
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MsMpEng.exe"".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

[europhile]

Ran TFC it appeared as though someting was interfering with the cleaning process as the status bar kept going back & forth several times but ultimately it completed it's job.

Sophos Antivirus tool failed to install.

 

[europhile]

Fixlog is attached!

 

[Broni]

Run this instead of Sophos...

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Under "I want a free one-time scan with ESET Online Scanner" click on "Scan now" button.
• It'll download small file "esetonlinescanner_enu.exe".
• Double click on downloaded file.
• Click on Accept button.
• Checkmark "Disable detection of potentially unwanted applications".
• Click Scan
• Accept any security warnings from your browser.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[Broni]

Still with me?

 

[europhile]

Sorry Broni was busy!

ESET Scan
03-03-2019 14:56:23
Files scanned: 216509
Infected files: 8
Cleaned threats: 8
Total scan time 03:06:46
Scan status: Finished

C:\ProgramData\RogueKiller\quarantine\BF03CF9300FAF730.vir\scripts\AddExceptionsWD.reg Win32/HackKMS.AZ potentially unsafe application cleaned by deleting
C:\ProgramData\RogueKiller\quarantine\BF03CF9300FAF730.vir\scripts\Silent.cmd Win32/HackKMS.AZ potentially unsafe application cleaned by deleting

KIS Scan
03.03.2019 10.06.24 Full Scan Objects detected: 5, neutralized: 3, not disinfected: 2 Detected: 5 Deleted: 3 Not disinfected: 2 Release date of databases used for scan: 02-03-2019 19:01 Total duration: 1 hour 16 minutes Completion time: 03-03-2019 11:23
02.03.2019 23.55.47 Advanced Disinfection Objects detected: 2, neutralized: 2, not disinfected: 0 Detected: 2 Deleted: 2 Not disinfected: 0 Release date of databases used for scan: 02-03-2019 19:01 Total duration: 12 minutes 57 seconds Completion time: 03-03-2019 00:08

I installed a trial version of Malwarebytes premium and ran a scan earllier it did detect couple of things and cleaned it off. Computer appears to be behaving now.
Here is the latest report from Malwarebytes
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/12/19
Scan Time: 11:07 PM
Log File: 70dfc108-44ed-11e9-a239-008cfa6e80b6.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.538
Update Package Version: 1.0.9654
License: Trial

-System Information-
OS: Windows 10 (Build 17134.590)
CPU: x64
File System: NTFS
User: DESKTOP-MTBUMQG\Karl Fernandes

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 277301
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 19 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

[Broni]

Your computer is clean https://www.bleepstatic.com/fhost/uploads/6/snag-0004.jpg[/URL]]

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
[COLOR=#ff0000][B]This is a very crucial step so make sure you don't skip it.[/B][/COLOR]
Download [IMG]http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.pngDelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
• Remove disinfection tools
• Create registry backup
• Purge System Restore
• Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now")

5. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

6. Run Temporary File Cleaner (TFC) and AdwCleaner weekly (you need to redownload these tools since they were removed by DelFix).

7. (optional) If you want to keep all your programs up to date, download and install FileHippo App Manager.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

10. Please, let me know, how your computer is doing.

 

[europhile]

Thank you Broni for all your help!
God Bless You!
Will get in touch in future if I encounter any further probs.
tc

 

[Broni]

You're very welcome