Remove "invisible" Malware

[zyl]

Hello,

first of all this is a following therad of this Topic: (maybe you'd like to read that and there are some logs in the replies)

My thought is that the problem is Malware but I cant seem to find any of it. Already scanned with Malwarebytes, AdwCleaner and Avast and didnt find anything. Any help?

 

[Nyrader]

I would just backup all your files then just format.

[Val3nt1n]

13 minutes ago, Nyrader said:

I would just backup all your files then just format.

Yeah, I know.. But is there any other option? It just sucks like hell. And I have a lot of work to do regarding Youtube and stuff.

[Val3nt1n]

And if so, what should I leave then? I just have a lot of pirated software and games that would take weeks to download and install again..

[zyl]

2 hours ago, Nyrader said:

I would just backup all your files then just format.

So I'll have to reinstall all my programs again I'd rather try another method tbh

[blubberaner]

I just created an account, just to give you another location to clean:

your host-file of windows:
C:\Windows\System32\drivers\etc

There were some redirects, even for some more url's than only "google.com". Just delete all, that are not pointing to your local-address (127.0.0.1)

 

You need to disable write-protraction and must open an editor in administrative-mode.

 

I had the same problem and used SpyBot, AdwCleaner, CCleaner and so on. And than i got the idea to look in this god damn file

[Val3nt1n]

3 minutes ago, blubberaner said:

I just created an account, just to give you another location to clean:

your host-file of windows:
C:\Windows\System32\drivers\etc

There were some redirects, even for some more url's than only "google.com". Just delete all, that are not pointing to your local-address (127.0.0.1)

 

You need to disable write-protraction and must open an editor in administrative-mode.

 

I had the same problem and used SpyBot, AdwCleaner, CCleaner and so on. And than i got the idea to look in this god damn file

Hi, I got into the etc folder but see this: hosts, mlhosts.sam, networks, protocol and services. Do I need to delete them, or just the .sam file or isn't that what you ment?

[Val3nt1n]

24 minutes ago, blubberaner said:

I just created an account, just to give you another location to clean:

your host-file of windows:
C:\Windows\System32\drivers\etc

There were some redirects, even for some more url's than only "google.com". Just delete all, that are not pointing to your local-address (127.0.0.1)

 

You need to disable write-protraction and must open an editor in administrative-mode.

 

I had the same problem and used SpyBot, AdwCleaner, CCleaner and so on. And than i got the idea to look in this god damn file

Or do I need to open them in for ex. Dreamweaver / notepad ?

EDIT: I have opened the first file (hosts) in Dreamweaver and got the following information:

# Copyright (c) 1993-2009 Microsoft Corp.    
#    
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.    
#    
# This file contains the mappings of IP addresses to host names. Each    
# entry should be kept on an individual line. The IP address should    
# be placed in the first column followed by the corresponding host name.    
# The IP address and the host name should be separated by at least one    
# space.    
#    
# Additionally, comments (such as these) may be inserted on individual    
# lines or following the machine name denoted by a '#' symbol.    
#    
# For example:    
#    
#      102.54.94.97     rhino.acme.com          # source server    
#       38.25.63.10     x.acme.com              # x client host    
# localhost name resolution is handled within DNS itself.    
#    127.0.0.1       localhost    
#    ::1             localhost    

127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com
127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com
34.195.153.94 www.google-analytics.com
34.195.153.94 google-analytics.com
... and so on, like 60 more of these 34.195.153.94 ...

 

Question: I see for example 127.0.0.1  www.czzsyzgm.com, and I know that I got some ads with the following in their url: www.czzsyz.. but it stays under my local host name. I should delete those as well, since they're a thread right?

Edited January 6, 2017 by Val3nt1n

[blubberaner]

Yes, delete all entries associated with " 34.195.153.94 "

 

After that, i still got this first site to a suspicious website.

 

I searched more and found, that it might be a rootkit or similiar.
ADW-Cleaner always found something under "root/subscriptions".

After a short googling, if found this site:

https://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infection-using-wmi-to-hijack-your-browser/

 

I first thought, it might be a cracked one, but i have done all steps and deleted that entry. I analysed it first and it looked simliar to that script.

 

Now my hopes are, that i deleted it completly.

 

Don't forget, to edit all Browser-Links (use ADW-Cleaner to identify them, but you don't need to delete the found entries, just edit them)

Edited January 7, 2017 by blubberaner
Forgot a step.

[Val3nt1n]

3 hours ago, blubberaner said:

Yes, delete all entries associated with " 34.195.153.94 "

 

After that, i still got this first site to a suspicious website.

 

I searched more and found, that it might be a rootkit or similiar.
ADW-Cleaner always found something under "root/subscriptions".

After a short googling, if found this site:

https://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infection-using-wmi-to-hijack-your-browser/

 

I first thought, it might be a cracked one, but i have done all steps and deleted that entry. I analysed it first and it looked simliar to that script.

 

Now my hopes are, that i deleted it completly.

 

Don't forget, to edit all Browser-Links (use ADW-Cleaner to identify them, but you don't need to delete the found entries, just edit them)

OOOOOMMMMMMMGGGGGG !! 
I really don't know what I did or what happened but it's fixed!!!!
Thaaank U so much @blubberaner !! Grateful)

 

So now for what I did:
I've did what the post said, but couldn't find wbemtest.exe. (I ran the wbengine.exe a couple of times tho)
 I ran the Windows Run menu and typed in C:\Windows\System32\wbem, then a folder opened with all the insides of wbem, from there the wbemtest.exe as available. Over next I did everything what the post said but in my case I had none ASEC's but still pressed OK and all that.
Still the adware was present.
A user in the comments posted something about the Windows Powershell.

 

Once I was in the System32 folder I searched for "powershell" and ran both powershell_ise and powershell and typed in the command "Remove-WmiObject -Class "ActiveScriptEventConsumer" -Namespace "root/subscription" | where Name -EQ "ASEC" ". This gave ma en error. After I ran this command " gwmi -Namespace "root/subscription" " and after class "ActiveScriptEventConsumer" for a couple of times. Next on I closed powershell.
After I installed the Shortcut cleaner linked in the post. Like before, there was nothing malicious and the cleaner had found 0 bad shortcuts.
I wanted to run Adwcleaner, but for some reason in got deleted or something from my pc, didn't install it again tho. Ran Jrt and Malwarebytes and deleted all the logs the progs had made after the cleanups.
(Not to mention; at no time had I any browsers open except for after the cleaning of Jrt and Malwarebytes)
And BOOM, now it works. Don't now how but I am thankful.

(Even after reboot it's till fixed) 

Now I hope that @zyl will have this shit fixed as well.

 

EDIT: before all this shizzle, I opened the hosts file in Dreamweaver (or notepad if it can) and deleted everything that had to do with the other IP address 34.195.153.94 INCLUDING all the ad-sites from addresses like the main 127.0.0.1. Saved it as hosts on the desktop so I could replace the old hosts file with the cleaned up one with administration rights.

Edited January 7, 2017 by Val3nt1n

[Ace08]

Hey guys, i just made this account as well to be able to comment because im having the same issue you all were... Ironically though, Making this account turned out to an obstacle just in itself, i had to end up creating it from my phone because the security check box in making the account that u checkmark to bring up pics to validate your human was not there. So as frustrating at this problem is getting,  im glad i came across the thread prior to this bringing me here so hopefully i can as well resolve this problem...

    My issue started after I installed AVG tune up, and basically Consolidated a large portion of my laptop and increased the performance of my HP. But then I went to Google Chrome to download and install something else and I was having trouble accessing the website I thought the simplest fix would be to uninstall and reinstall Google Chrome. So then I came across the problem using Internet Explorer not being able to access the Google Chrome web page 2 reinstall it I'm getting the same type of security certificate errors as you all were.

Anyway I'm not exactly where I should start in trying to solve this issue after reading your own information I was hoping that maybe from y'all's experience and knowledge on this issues that maybe someone could break it down into some simplified instructions that maybe I should start with.. hoping to hear back.... thanks in advance for any suggestions or additional help apart from you all have already posted.

[zyl]

14 hours ago, blubberaner said:

Yes, delete all entries associated with " 34.195.153.94 "

 

After that, i still got this first site to a suspicious website.

 

I searched more and found, that it might be a rootkit or similiar.
ADW-Cleaner always found something under "root/subscriptions".

After a short googling, if found this site:

https://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infection-using-wmi-to-hijack-your-browser/

 

I first thought, it might be a cracked one, but i have done all steps and deleted that entry. I analysed it first and it looked simliar to that script.

 

Now my hopes are, that i deleted it completly.

 

Don't forget, to edit all Browser-Links (use ADW-Cleaner to identify them, but you don't need to delete the found entries, just edit them)

Sorry im kinda dumb but what do I have to delete? :

# Copyright (c) 1993-2009 Microsoft Corp.    
#    
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.    
#    
# This file contains the mappings of IP addresses to host names. Each    
# entry should be kept on an individual line. The IP address should    
# be placed in the first column followed by the corresponding host name.    
# The IP address and the host name should be separated by at least one    
# space.    
#    
# Additionally, comments (such as these) may be inserted on individual    
# lines or following the machine name denoted by a '#' symbol.    
#    
# For example:    
#    
#      102.54.94.97     rhino.acme.com          # source server    
#       38.25.63.10     x.acme.com              # x client host    
# localhost name resolution is handled within DNS itself.    
#    127.0.0.1       localhost    
#    ::1             localhost    

127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com
127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com
34.195.153.94 www.google-analytics.com
34.195.153.94 google-analytics.com
34.195.153.94 mc.yandex.ru
34.195.153.94 top-fwz1.mail.ru
34.195.153.94 site.yandex.net
34.195.153.94 pagead2.googlesyndication.com
34.195.153.94 ad.mail.ru
34.195.153.94 ads.adfox.ru
34.195.153.94 ads.pubmatic.com
34.195.153.94 apis.google.com
34.195.153.94 autocontext.begun.ru
34.195.153.94 b.scorecardresearch.com
34.195.153.94 c.amazon-adsystem.com
34.195.153.94 cdn.admixer.net
34.195.153.94 cdn.cxense.com
34.195.153.94 cdn.livefyre.com
34.195.153.94 cdn.onthe.io
34.195.153.94 cdn.optimizely.com
34.195.153.94 cdn.prom.st
34.195.153.94 cdn.pushwoosh.com
34.195.153.94 cdn.tt.omtrdc.net
34.195.153.94 cdn1.graphiq.com
34.195.153.94 content.adriver.ru
34.195.153.94 d134l0cdryxgwa.cloudfront.net
34.195.153.94 gaua.hit.gemius.pl
34.195.153.94 gde-default.hit.gemius.pl
34.195.153.94 img.imgsmail.ru
34.195.153.94 img7.auto.ria.com
34.195.153.94 js-agent.newrelic.com
34.195.153.94 js.revsci.net
34.195.153.94 kamradamnaradost.ru
34.195.153.94 kpmediagaua.hit.gemius.pl
34.195.153.94 level1cdn.com
34.195.153.94 mc.yandex.ru
34.195.153.94 mtrx.go.sonobi.com
34.195.153.94 ninja.onap.io
34.195.153.94 odb.outbrain.com
34.195.153.94 optimize-stats.voxmedia.com
34.195.153.94 p.d.0fmm.com
34.195.153.94 pagead2.googlesyndication.com
34.195.153.94 pixel.vihub.ru
34.195.153.94 psma02.com
34.195.153.94 px.adhigh.net
34.195.153.94 rtax.criteo.com
34.195.153.94 rum-static.pingdom.net
34.195.153.94 s.ytimg.com
34.195.153.94 s1.olx.ua
34.195.153.94 sb.scorecardresearch.com
34.195.153.94 secure.whisla.com
34.195.153.94 securepubads.g.doubleclick.net
34.195.153.94 source.mmi.bemobile.ua
34.195.153.94 ssl.luxup.ru
34.195.153.94 ssp.rambler.ru
34.195.153.94 st.top100.ru
34.195.153.94 stat.media
34.195.153.94 static.censor.net.ua
34.195.153.94 static.criteo.net
34.195.153.94 static.dynamicyield.com
34.195.153.94 static.gazeta.ru
34.195.153.94 stats.g.doubleclick.net
34.195.153.94 stats.tmtm.ru
34.195.153.94 t2.korrespondent.net
34.195.153.94 tag.digitaltarget.ru
34.195.153.94 tag.marinsm.com
34.195.153.94 target.smi2.net
34.195.153.94 top-fwz1.mail.ru
34.195.153.94 tracker.bigl.ua
34.195.153.94 ua.hit.gemius.pl
34.195.153.94 www.google.com
34.195.153.94 www.googleadservices.com
34.195.153.94 www.googletagmanager.com
34.195.153.94 www.googletagservices.com
34.195.153.94 www.gstatic.com
34.195.153.94 www.tns-counter.ru
34.195.153.94 yastatic.net
34.195.153.94 z.moatads.com
 

[zyl]

6 minutes ago, Ace08 said:

Hey guys, i just made this account as well to be able to comment because im having the same issue you all were... Ironically though, Making this account turned out to an obstacle just in itself, i had to end up creating it from my phone because the security check box in making the account that u checkmark to bring up pics to validate your human was not there. So as frustrating at this problem is getting,  im glad i came across the thread prior to this bringing me here so hopefully i can as well resolve this problem...

    My issue started after I installed AVG tune up, and basically Consolidated a large portion of my laptop and increased the performance of my HP. But then I went to Google Chrome to download and install something else and I was having trouble accessing the website I thought the simplest fix would be to uninstall and reinstall Google Chrome. So then I came across the problem using Internet Explorer not being able to access the Google Chrome web page 2 reinstall it I'm getting the same type of security certificate errors as you all were.

Anyway I'm not exactly where I should start in trying to solve this issue after reading your own information I was hoping that maybe from y'all's experience and knowledge on this issues that maybe someone could break it down into some simplified instructions that maybe I should start with.. hoping to hear back.... thanks in advance for any suggestions or additional help apart from you all have already posted.

Hey, have you read my other therad maybe theres also help for you and also use AdwCleaner its really good

[Ace08]

3 minutes ago, zyl said:

Hey, have you read my other therad maybe theres also help for you and also use AdwCleaner its really good

Yes i have,  just have started yet, i suppose AdwCleaner is first on my list.

[zyl]

1 minute ago, Ace08 said:

Yes i have,  just have started yet, i suppose AdwCleaner is first on my list.

Ok, good luck I followed all steps and everything is working again for me

[Val3nt1n]

22 hours ago, zyl said:

-snip-

Hi, delete all the ip's so everything below #::1             localhost  

[Val3nt1n]

So the final result should be this:

 

# Copyright (c) 1993-2009 Microsoft Corp.    
#    
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.    
#    
# This file contains the mappings of IP addresses to host names. Each    
# entry should be kept on an individual line. The IP address should    
# be placed in the first column followed by the corresponding host name.    
# The IP address and the host name should be separated by at least one    
# space.    
#    
# Additionally, comments (such as these) may be inserted on individual    
# lines or following the machine name denoted by a '#' symbol.    
#    
# For example:    
#    
#      102.54.94.97     rhino.acme.com          # source server    
#       38.25.63.10     x.acme.com              # x client host    
# localhost name resolution is handled within DNS itself.    
#    127.0.0.1       localhost    
#::1             localhost  

[zyl]

1 hour ago, Val3nt1n said:

So the final result should be this:

 

# Copyright (c) 1993-2009 Microsoft Corp.    
#    
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.    
#    
# This file contains the mappings of IP addresses to host names. Each    
# entry should be kept on an individual line. The IP address should    
# be placed in the first column followed by the corresponding host name.    
# The IP address and the host name should be separated by at least one    
# space.    
#    
# Additionally, comments (such as these) may be inserted on individual    
# lines or following the machine name denoted by a '#' symbol.    
#    
# For example:    
#    
#      102.54.94.97     rhino.acme.com          # source server    
#       38.25.63.10     x.acme.com              # x client host    
# localhost name resolution is handled within DNS itself.    
#    127.0.0.1       localhost    
#::1             localhost  

Thanks to everyone especially @Val3nt1n everythings good now

[Val3nt1n]

15 minutes ago, zyl said:

Thanks to everyone especially @Val3nt1n everythings good now

Do the whole Google Service work now for you?

[zyl]

Just now, Val3nt1n said:

Do the whole Google Service work now for you?

Yes

[Val3nt1n]

1 minute ago, zyl said:

Yes

Well, that's nice!
Ur welcome)

[matin94]

On 08/01/2017 at 6:37 PM, Val3nt1n said:

Hi, delete all the ip's so everything below #::1             localhost  

Hello, can you tell me how to get to that stage?

when i open that host file in  C:\Windows\System32\drivers\etc its completely Blank. i've taken write protection off and ran my notepad as administrator and still empty

[zyl]

On 14.3.2017 at 7:42 PM, matin94 said:

Hello, can you tell me how to get to that stage?

when i open that host file in  C:\Windows\System32\drivers\etc its completely Blank. i've taken write protection off and ran my notepad as administrator and still empty

hey, do you still need help?