Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: tradeadexchange

23 Oct 2015   #31
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
Have read on google reports, that the problem with tradeadexchange.com was a DNS hack.
That's why I had you run the batch file to flush the DNS cache and restore Microsofts Hosts file.
This may have interfered with Spybot's hosts file, but sometimes Spybot will interfere/protect what we're trying to 'fix' or get rid of!

If you didn't pay for IObit, then uninstall it. It will really mess with your registry


Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.



My System SpecsSystem Spec
.
24 Oct 2015   #32
Bernardus

Microsoft Windows 7 Ultimate 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Quote:
That's why I had you run the batch file to flush the DNS cache and restore Microsofts Hosts file.
Hai Jacee

I understand.

Here is the log.

The problem is still there
I've got this page


Attached Files
File Type: txt JRT.txt (3.7 KB, 1 views)
My System SpecsSystem Spec
24 Oct 2015   #33
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Let me just say

This adware came in with something you downloaded and has stayed! Are you still backing up your files and programs? If you are, you're also backing this up too!

Why is this in your startup?
C:\ProgramData\microsoft\windows\start menu\programs\startup\wordpadfix.exe
See the link:
https://herdprotect.com/wordpadfix.e...fb42f1421.aspx

Do you know if this was ever deleted? HKU\S-1-5-21-4182600377-2336131417-2761949497-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\
(UniDeals) -> PendingDelete


Please download CKScanner by askey127 from HERE

Important - Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
My System SpecsSystem Spec
.

24 Oct 2015   #34
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

I see that you have some P2P apps...
µTorrent
BitComet 1.35 64-bit
mIRC

Did you uninstall these?
Some keys have not been deleted
Sleutel Niet Verwijderd : [x64] HKCU\Software\Bitberry Software
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Bitberry
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Conduit
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Escolade
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\GoforFiles
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\ParetoLogic
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\powerpack
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Search Settings
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Softonic
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Video Player
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\IObit Apps
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\cain
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\PRODUCTSETUP
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\WEBAPP
[!] Sleutel Niet Verwijderd : HKU\S-1-5-21-4182600377-2336131417-2761949497-1000\Software\AppDataLow\Software\Search Settings
[!] Sleutel Niet Verwijderd : HKU\S-1-5-21-4182600377-2336131417-2761949497-1000\Software\AppDataLow\Software\IObit Apps

You also, might want to take a look at this:
Autonomous System
https://www.virustotal.com/en-gb/ip-...7/information/
13335 (CloudFlare, Inc.)
104.27.138.97
Name Server: CORTNEY.NS.CLOUDFLARE.COM
Name Server: SRI.NS.CLOUDFLARE.COM
HKU\S-1-5-21-4182600377-2336131417-2761949497-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\
(UniDeals) -> PendingDelete ..... ProxyStubClsid
(Default){00020424-0000-0000-C000-000000000046}
Adware.BrowserPlugin
adobe-photoshop-cs6.exe (5920783cc221a08ed4d8eb647be55b936c8e7059)
Programs\Startup\wordpadfix.exe
C:\ProgramData\microsoft\windows\start menu\programs\startup\wordpadfix.exe
https://herdprotect.com/wordpadfix.e...fb42f1421.aspx
apppatch\acwow64.dll
Fix acwow64.dll Error and File Free Download - DLL Suite/DLLSuite.com

Daum Cloud
EZ Backup Ultimate

Plus the fact, that your Adobe Creative Suite 6 appears to be a 'crack'/Keygen
that was bundled with "crossrider"
My System SpecsSystem Spec
25 Oct 2015   #35
Bernardus

Microsoft Windows 7 Ultimate 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

I have to find out what this items are?
Maybe leftovers?
Never heared of crossrider?
The list "niet verwijderd" contains strings I didn't know about.
Not even why they were not deleted?
But I'll do a search with regseeker.

Asky didn't find any malicious keys or files.

Oh and wordpadfix is a recently installed tiny program, that disables the mad spacings in wordpad (very handy) But I don't know if it's safe?

I've been deleting programs which are indicated as not reliable.
So that list cant be found in the register anymore.

After deleting Adblock and Adblockplus it seems to run al-right until now.

Chrome was sluggish lately, but now it runs much faster.
Also starting much faster.

Quote:
Do you know if this was ever deleted? HKU\S-1-5-21-4182600377-2336131417-2761949497-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\
(UniDeals) -> PendingDelete
This string is no longer there.
My System SpecsSystem Spec
25 Oct 2015   #36
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Can I see the CKFiles.txt that askey127 gave you?
My System SpecsSystem Spec
26 Oct 2015   #37
Bernardus

Microsoft Windows 7 Ultimate 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Hallo Jacee

I have deleted the list with odd programs and did more scans.
Even Malwarebytes didn't find something suspicious.

Here is the latest result of cfkFiles

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\users\xxxxx\favorites\koppelingen\uit firefox\software\wep--wpa-keygen.url
scanner sequence 3.BC.11.RILBIA
----- EOF -----

I think that it is just a web generator to generate a wireless key which I indeed used once.

The system seems to run OK at the moment.
No more problems with Chrome until now.
Chrome is running so much faster.
I recreated a new backup.
If it stays all-right, I will be very thankful for your support.

With regards.
My System SpecsSystem Spec
26 Oct 2015   #38
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

You have about/close to 17 additional security risks ... You need to uninstall all of them. You know what they are.
My System SpecsSystem Spec
27 Oct 2015   #39
Bernardus

Microsoft Windows 7 Ultimate 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Hai Jacee

I've checked your recommendations over and over again.
These 17 strings are no longer there.
I searched the whole register with regseeker to trace that list.
Maybe they were related to your list of programs I deleted?
Anyway, it's still running fine now.

The odd thing is, that Tinypic showed a lot of unwanted ads and pop ups which now disappeared.
I'm using Ublock only.
Since Adblock and Adblock Plus were removed and of course the previous mentioned programs, I can use Tinypic again without these annoying ads. (blocking them, made the image-links also invisible)

I'm using also a plugin which forces secure HTPPS. in the browsers.

If there in anyway a DNS hack may have taken place, is there a safe way to control that or detect?
I've checked the settings of the internet-connection, but since it's set to dynamic addresses provided by the router, there is little I can check. It's all blank.
Some recommend to use a fixed DNS. Or at least a restricted range.
A router however is already a hardware firewall for what I know.

Here is a list with junkware removaltool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Ultimate x64
Ran by ******** on ma 26-10-2015 at 19:42:47,32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\Driver Booster SkipUAC (********)
Successfully deleted: [Task] C:\Windows\system32\tasks\Uninstaller_SkipUac_********



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\iobit\driver booster
Successfully deleted: [Folder] C:\ProgramData\productdata
Successfully deleted: [Folder] C:\Users\********\AppData\Roaming\iobit\driver booster
Successfully deleted: [Folder] C:\Users\********\AppData\Roaming\productdata



~~~ Chrome

Successfully deleted: [Folder] C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
icpgjfneehieebagbmdbhnlpiopdcmna

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
icpgjfneehieebagbmdbhnlpiopdcmna
]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on ma 26-10-2015 at 19:49:14,89
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Driver booster is no longer installed on my PC.

Thank you so much for your help.
My System SpecsSystem Spec
27 Oct 2015   #40
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

The only thing I can advise you about, is not to use "dubious" P2P downloads!

It's really important, if you value your PC at all, to stay away from P2P file sharing programs,
like utorrent, Bittorrent, Azureus, Limewire, Vuze.
They are "planted" with thousands upon thousands of infections in the "free" shared files.
Some of the recent infections can turn your machine into a doorstop.

It's also very important to avoid any "cracks" or "Keygens" that allow unauthorized use of programs.
Besides being illegal, these files also are loaded with "planted" malware
My System SpecsSystem Spec
Reply

 tradeadexchange




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
"TradeAdExchange" Pop Up Tab in Chrome
I use Chrome for pretty much all my web browsing on my desktop, and I've been through moments where I've had adware type extensions install themselves silently through my browsing. I know to uninstall the extension from Chrome settings and to delete the folder from Chrome's directory, but this one...
Browsers & Mail


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 15:18.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App