tradeadexchange

Jacee · 23 Oct 2015

Have read on google reports, that the problem with tradeadexchange.com was a DNS hack.

That's why I had you run the batch file to flush the DNS cache and restore Microsofts Hosts file.
This may have interfered with Spybot's hosts file, but sometimes Spybot will interfere/protect what we're trying to 'fix' or get rid of!

If you didn't pay for IObit, then uninstall it. It will really mess with your registry

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Bernardus · 24 Oct 2015

That's why I had you run the batch file to flush the DNS cache and restore Microsofts Hosts file.

Hai Jacee

I understand.

Here is the log.

The problem is still there
I've got this page

Code:

http://www.trafficnado.com/KroonCasi..._content=barca

Jacee · 24 Oct 2015

Let me just say

This adware came in with something you downloaded and has stayed! Are you still backing up your files and programs? If you are, you're also backing this up too!

Why is this in your startup?
C:\ProgramData\microsoft\windows\start menu\programs\startup\wordpadfix.exe
See the link:
https://herdprotect.com/wordpadfix.e...fb42f1421.aspx

Do you know if this was ever deleted? HKU\S-1-5-21-4182600377-2336131417-2761949497-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\
(UniDeals) -> PendingDelete

Please download CKScanner by askey127 from HERE

Important - Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Jacee · 24 Oct 2015

I see that you have some P2P apps...

µTorrent
BitComet 1.35 64-bit
mIRC

Did you uninstall these?
Some keys have not been deleted
Sleutel Niet Verwijderd : [x64] HKCU\Software\Bitberry Software
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Bitberry
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Conduit
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Escolade
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\GoforFiles
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\ParetoLogic
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\powerpack
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Search Settings
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Softonic
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\Video Player
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\IObit Apps
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\cain
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\PRODUCTSETUP
[!] Sleutel Niet Verwijderd : [x64] HKCU\Software\WEBAPP
[!] Sleutel Niet Verwijderd : HKU\S-1-5-21-4182600377-2336131417-2761949497-1000\Software\AppDataLow\Software\Search Settings
[!] Sleutel Niet Verwijderd : HKU\S-1-5-21-4182600377-2336131417-2761949497-1000\Software\AppDataLow\Software\IObit Apps

You also, might want to take a look at this:
Autonomous System
https://www.virustotal.com/en-gb/ip-...7/information/
13335 (CloudFlare, Inc.)
104.27.138.97
Name Server: CORTNEY.NS.CLOUDFLARE.COM
Name Server: SRI.NS.CLOUDFLARE.COM
HKU\S-1-5-21-4182600377-2336131417-2761949497-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\
(UniDeals) -> PendingDelete ..... ProxyStubClsid
(Default){00020424-0000-0000-C000-000000000046}
Adware.BrowserPlugin
adobe-photoshop-cs6.exe (5920783cc221a08ed4d8eb647be55b936c8e7059)
Programs\Startup\wordpadfix.exe
C:\ProgramData\microsoft\windows\start menu\programs\startup\wordpadfix.exe
https://herdprotect.com/wordpadfix.e...fb42f1421.aspx
apppatch\acwow64.dll
Fix acwow64.dll Error and File Free Download - DLL Suite/DLLSuite.com

Daum Cloud
EZ Backup Ultimate

Plus the fact, that your Adobe Creative Suite 6 appears to be a 'crack'/Keygen
that was bundled with "crossrider"

Bernardus · 25 Oct 2015

I have to find out what this items are?
Maybe leftovers?
Never heared of crossrider?
The list "niet verwijderd" contains strings I didn't know about.
Not even why they were not deleted?
But I'll do a search with regseeker.

Asky didn't find any malicious keys or files.

Oh and wordpadfix is a recently installed tiny program, that disables the mad spacings in wordpad (very handy) But I don't know if it's safe?

I've been deleting programs which are indicated as not reliable.
So that list cant be found in the register anymore.

After deleting Adblock and Adblockplus it seems to run al-right until now.

Chrome was sluggish lately, but now it runs much faster.
Also starting much faster.

Do you know if this was ever deleted? HKU\S-1-5-21-4182600377-2336131417-2761949497-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\
(UniDeals) -> PendingDelete

This string is no longer there.

Jacee · 25 Oct 2015

Can I see the CKFiles.txt that askey127 gave you?

Bernardus · 26 Oct 2015

Hallo Jacee

I have deleted the list with odd programs and did more scans.
Even Malwarebytes didn't find something suspicious.

Here is the latest result of cfkFiles

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\users\xxxxx\favorites\koppelingen\uit firefox\software\wep--wpa-keygen.url
scanner sequence 3.BC.11.RILBIA
----- EOF -----

I think that it is just a web generator to generate a wireless key which I indeed used once.

The system seems to run OK at the moment.
No more problems with Chrome until now.
Chrome is running so much faster.
I recreated a new backup.
If it stays all-right, I will be very thankful for your support.

With regards.

Jacee · 26 Oct 2015

You have about/close to 17 additional security risks ... You need to uninstall all of them.

You know what they are.

Bernardus · 27 Oct 2015

Hai Jacee

I've checked your recommendations over and over again.
These 17 strings are no longer there.
I searched the whole register with regseeker to trace that list.
Maybe they were related to your list of programs I deleted?
Anyway, it's still running fine now.

The odd thing is, that Tinypic showed a lot of unwanted ads and pop ups which now disappeared.
I'm using Ublock only.
Since Adblock and Adblock Plus were removed and of course the previous mentioned programs, I can use Tinypic again without these annoying ads. (blocking them, made the image-links also invisible)

I'm using also a plugin which forces secure HTPPS. in the browsers.

If there in anyway a DNS hack may have taken place, is there a safe way to control that or detect?
I've checked the settings of the internet-connection, but since it's set to dynamic addresses provided by the router, there is little I can check. It's all blank.
Some recommend to use a fixed DNS. Or at least a restricted range.
A router however is already a hardware firewall for what I know.

Here is a list with junkware removaltool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Ultimate x64
Ran by ******** on ma 26-10-2015 at 19:42:47,32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\Driver Booster SkipUAC (********)
Successfully deleted: [Task] C:\Windows\system32\tasks\Uninstaller_SkipUac_********

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\iobit\driver booster
Successfully deleted: [Folder] C:\ProgramData\productdata
Successfully deleted: [Folder] C:\Users\********\AppData\Roaming\iobit\driver booster
Successfully deleted: [Folder] C:\Users\********\AppData\Roaming\productdata

~~~ Chrome

Successfully deleted: [Folder] C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
icpgjfneehieebagbmdbhnlpiopdcmna

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\********\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
icpgjfneehieebagbmdbhnlpiopdcmna
]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on ma 26-10-2015 at 19:49:14,89
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Driver booster is no longer installed on my PC.

Thank you so much for your help.

Jacee · 27 Oct 2015

The only thing I can advise you about, is not to use "dubious" P2P downloads!

It's really important, if you value your PC at all, to stay away from P2P file sharing programs,
like utorrent, Bittorrent, Azureus, Limewire, Vuze.
They are "planted" with thousands upon thousands of infections in the "free" shared files.
Some of the recent infections can turn your machine into a doorstop.

It's also very important to avoid any "cracks" or "Keygens" that allow unauthorized use of programs.
Besides being illegal, these files also are loaded with "planted" malware