Odd behaviour, can't seem to fix it.

Some persistent browser hijacking, and some slowness, any help appreciated.







DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 11.0.15063.0  BrowserJavaVersion: 11.121.2

Run by Matt at 1:46:03 on 2017-08-07

Microsoft Windows 10 Home  10.0.15063.0.1252.1.1033.18.3959.1064 [GMT -7:00]

.

AV: Avast Antivirus *Enabled/Updated* {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}

AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Avast Antivirus *Enabled/Updated* {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

.

============== Running Processes ===============

.

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

C:\WINDOWS\system32\fontdrvhost.exe

C:\WINDOWS\system32\fontdrvhost.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

c:\windows\system32\svchost.exe -k rpcss

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s TimeBrokerSvc

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s hidserv

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

C:\Windows\System32\WUDFHost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe -k localservice -s WinHttpAutoProxySvc

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

c:\windows\system32\svchost.exe -k localservice -s FontCache

C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe

C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted

C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

C:\WINDOWS\System32\spoolsv.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\sihost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\svchost.exe -k unistacksvcgroup -s WpnUserService

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\WINDOWS\System32\svchost.exe -k utcsvc

c:\windows\system32\svchost.exe -k apphost -s AppHostSvc

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE

c:\windows\system32\svchost.exe -k localservicenonetwork -s DPS

C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub

C:\Program Files\Acer\Acer Updater\UpdaterService.exe

C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe -k iissvcs

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe

C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s PcaSvc

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe

C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

C:\OEM\USBDECTION\USBS3S4Detection.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

c:\windows\system32\taskhostw.exe

c:\windows\system32\svchost.exe -k netsvcs -s iphlpsvc

C:\Program Files (x86)\McAfee\SiteAdvisor\saUI.exe

c:\windows\system32\svchost.exe -k localservice -s WdiServiceHost

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

C:\WINDOWS\Explorer.EXE



.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 10 Home

Boot Device: \Device\HarddiskVolume2

Install Date: 5/16/2017 11:43:25 PM

System Uptime: 8/6/2017 6:19:26 PM (7 hours ago)

.

Motherboard: Acer |  | Aspire X3950

Processor: Intel(R) Core(TM) i3 CPU         540  @ 3.07GHz | CPU 1 | 1200/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 442 GiB total, 193.265 GiB free.

D: is CDROM ()

E: is CDROM (CDFS)

F: is Removable

G: is Removable

H: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}

Description: Microsoft PS/2 Mouse

Device ID: ACPI\PNP0F03\4&153956B5&0

Manufacturer: Microsoft

Name: Microsoft PS/2 Mouse

PNP Device ID: ACPI\PNP0F03\4&153956B5&0

Service: i8042prt

.

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}

Description: Standard PS/2 Keyboard

Device ID: ACPI\PNP0303\4&153956B5&0

Manufacturer: (Standard keyboards)

Name: Standard PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&153956B5&0

Service: i8042prt

.

==== System Restore Points ===================

.

RP8: 7/13/2017 9:01:42 PM - Windows Update

RP11: 8/1/2017 9:30:35 PM - Installed MIDI-OX

RP12: 8/3/2017 8:31:30 PM - Installed VirtualDJ 8

RP14: 8/5/2017 12:39:23 AM - Removed VirtualDJ 8

.

==== Installed Programs ======================

.

 clear.fi

50 FREE MP3s +1 Free Audiobook!

7-Zip 16.04 (x64 edition)

Acer eRecovery Management

Acer Games

Acer ScreenSaver

Acer Updater

Adobe Acrobat Reader DC

Adobe AIR

Adobe Flash Player 24 NPAPI

Adobe Refresh Manager

Agatha Christie - Death on the Nile

alien_crossfire

alpha_centauri

Apple Application Support

Apple Software Update

Archimedean Dynasty 1.120

Audacity 2.1.3

Avast Free Antivirus

Bejeweled 3

BOINC

Bundled software uninstaller

CCleaner

CDisplayEx 1.9.15

ChromecastApp

Chronicles of Albian

Cisco WebEx Meetings

clear.fi

clear.fi Client

CMS3

Combined Community Codec Pack 2015-10-18

Cradle of Rome 2

D3DX10

Deluge 1.3.13

DJ Intro version 1.2.8

Dora's World Adventure

Download Updater (AOL Inc.)

Dropbox

DVDFab Passkey 8.2.7.1 (28/04/2016)

eBay Worldwide

EPSON NX410 Series Printer Uninstall

EPSON Scan

Evernote v. 6.5.4

FATE

Final Drive: Nitro

Fooz Kids

Fooz Kids Platform

Free eXPert PDF Reader

g!Connect

g!Tools

Galerie de photos Windows Live

Galería fotográfica de Windows Live

Google Chrome

Google Update Helper

Governor of Poker 2 Premium Edition

HomeWorks QS 9.2.0

Hotkey Utility

Identity Card

Intel(R) Control Center

Intel(R) Processor Graphics

Java 8 Update 121

Java 8 Update 144

Java Auto Updater

Jewel Quest Mysteries: The Seventh Gate Collector's Edition

Junk Mail filter update

Kobo

Malwarebytes Anti-Malware version 2.2.1.1043

McAfee SiteAdvisor

McAfee WebAdvisor

MediaMonkey 4.1

Mesh Runtime

Microsoft .NET Framework 4.5.2

Microsoft Application Error Reporting

Microsoft Corporation

Microsoft DVD App Installation for Microsoft.WindowsDVDPlayer_2019.6.13291.0_neutral_~_8wekyb3d8bbwe (x64)

Microsoft LifeCam

Microsoft Office 2010

Microsoft OneDrive

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft SQL Server 2012 Express LocalDB

Microsoft SQL Server 2012 Management Objects

Microsoft System CLR Types for SQL Server 2012

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219

Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005

Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005

Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005

Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005

Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005

Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215

Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.24215

Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.24215

MIDI-OX

Mixxx 2.0.0 (64-bit)

Mozilla Firefox 54.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MyWinLocker

MyWinLocker 4

MyWinLocker Suite

Native Instruments Controller Editor

Native Instruments Service Center

Native Instruments Traktor 2

Nero Control Center 10

Nero ControlCenter 10 Help (CHM)

Nero Core Components 10

Nero DiscSpeed 10

Nero DiscSpeed 10 Help (CHM)

Nero Express 10

Nero Express 10 Help (CHM)

Nero Multimedia Suite 10 Essentials

Nero StartSmart 10

Nero StartSmart 10 Help (CHM)

Nero Update

Network Secured DNSIO

Nexus - The Jupiter Incident

Norton Online Backup

OpenOffice 4.0.0

Oracle VM VirtualBox 5.0.12

Penguins!

Plants vs. Zombies - Game of the Year

PMB

Polar Bowler

Polar Golfer

Privatefirewall 7.0

QuickTime 7

RadioRA 2 8.0

Realtek Ethernet Controller Driver For Windows 7

Realtek High Definition Audio Driver

Rosetta Stone Ltd Services

Rosetta Stone TOTALe

SafeZone Stable 3.55.2393.609

Shredder

Sid Meier's Alpha Centauri

Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)

Silicon Laboratories CP210x VCP Drivers for Windows XP/2003 Server/Vista/7

Skype Click to Call

Skype™ 7.39

Spotify

SpywareBlaster 5.5

StarTopia

Steam

StudioTax 2012

StudioTax 2013

StudioTax 2014

StudioTax 2015

StudioTax 2016

SUPERAntiSpyware

Tales of Lagoona

Team Fortress 2

Torchlight

Update Installer for WildTangent Games App

Virtual Villagers 5 - New Believers

VirtualDJ 8

Warcraft III

Warfare Online

Welcome Center

WildTangent Games App (Acer Games)

Windows 10 Update and Privacy Settings

Windows Driver Package - Lutron Electronics Co. Inc. (WinUSB) USB  (11/10/2010 1.0.1)

Windows Live

Windows Live Communications Platform

Windows Live Essentials

Windows Live Galeria de Fotos

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Zuma's Revenge

.

==== Event Viewer Messages From Past Week ========

.

8/6/2017 6:24:23 PM, Error: Service Control Manager [7022]  - The Delivery Optimization service hung on starting.

8/6/2017 6:20:03 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {7022A3B3-D004-4F52-AF11-E9E987FEE25F}  and APPID  {ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}  to the user Expensive2\Matt SID (S-1-5-21-1593604833-3916467440-1390602024-1000) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

8/6/2017 6:19:57 PM, Error: Service Control Manager [7023]  - The SysMain service terminated with the following error:  The request is not supported.

8/6/2017 6:19:54 PM, Error: Service Control Manager [7001]  - The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

8/6/2017 6:19:50 PM, Error: Service Control Manager [7000]  - The CldFlt service failed to start due to the following error:  The request is not supported.

8/5/2017 8:44:49 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.

8/4/2017 6:16:40 PM, Error: Service Control Manager [7022]  - The Software Protection service hung on starting.

8/3/2017 5:47:31 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80073D02: Microsoft Photos.

8/2/2017 7:10:02 PM, Error: Service Control Manager [7034]  - The Downloaded Maps Manager service terminated unexpectedly.  It has done this 1 time(s).

8/1/2017 9:50:20 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

8/1/2017 9:50:20 PM, Error: Service Control Manager [7000]  - The Steam Client Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.

8/1/2017 9:45:19 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Appinfo service.

8/1/2017 9:45:06 PM, Error: Service Control Manager [7043]  - The aswbIDSAgent service did not shut down properly after receiving a preshutdown control.

.

==== End Of File ===========================

 

Hello,



Update Malwarebytes and run a scan with it. Make sure you go into settings and activate "scan for rootkits" if it's not already active.

Post the log with the results.

Since you are using Avaqst already, uninstall McAfee WebAdvisor.



Also take these steps:



1. Go to Start and type CMD.exe in the search field. After you type that in, wait for a few moments and, when CMD.exe is displayed in the list above, right-click on it and select "Run as administrator".

2. In the black CMD window type the following and press Enter after each line:

 netsh winsock reset

ipconfig /flushdns

ipconfig /renew

nbtstat –R

nbtstat –RR

netsh int ip reset all

netsh winhttp reset proxy

3. Wait for CMD to be finished and reboot the computer.



If the issue still persists, please explain better what you mean by persistent browser hijacking.

Hi, thanks for your help so far. I followed your instructions but Chrome and Mozilla still seem afflicted. Edge seems on the surface of it at least, to be immune although who can really say. Certainly not me, which is why I`m here.



Mozilla sometimes opens with:



https://mysagagame.com/preland-2912_3.html?pid=10&sid=1&nonad=1&s2s=VjN8MTcwMjl8Nzc4NDU1fDY5MzI1NHwxNTAyMjUzMDA3fDAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMHw5Ni41MC4xMTcuNDF8Mnw1NTljMGIyNWE5NWM4NmY3MWJlMjQyZjkyNjA1MDllNg==



Both Mozilla and Chrome will sometimes open with:



https://launchpage.org/?uid=oTlKBGjchx1sXu%2BaqeWVplEMStvzxHHBJNU4alLJVfNKZPqlc9wlhFs7rMh59EMR1%2B%2B0



And one time I saw Chrome open with:



https://playinghome.com/b40/index.php?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00MzdhLTRmZDQtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjM2ZTYyMDAwLTdjYjctMTFlNy04ZmExLWI5ZjgzZWZlYThlY19fY2FpZC4uY2RjMTUyODItYzcyOS00Y2UzLWFjYjItMjUzYzY2Zjg4NzJkX19ydC4uUl9fbGlkLi45OGQ4NjIzZC05NTEzLTQ2ZDEtYjc4NC0zNmMwNzZlOTI1N2JfX29pZDEuLmEyNDQwOTA3LTA3MTgtNGIxMC04MzRiLWI3OTUyM2U1MjZjM19fdmFyMS4uNDcxMTUyX192YXIyLi42NTAyOTlfX3JkLi5waXBlc2NoYW5uZWxzXC5cY29tX19haWQuLl9fYWIuLl9fc2lkLi5fX2NyaS4uX19wdWIuLl9fZGlkLi5fX2RpdC4uX19waWQuLl9faXQuLl9fdnQuLjE1MDIyNTM1MjMxNTc&zoneid=471152&campaignid=650299&visitor_id=358333828498



And there isn`t anything I can do about it at the moment.



Just tried Avast safezone for I think possibly the first time ever and I brought up launchpage.org



Why Edge isn't bringing up this stuff I do not know. Any and all help is and will be much appreciated. Thanks again. M

 

OK so it appears I've found a combination of removal tools that appear to have worked but I would still appreciate someone looking over the process I've used. I have no way of knowing of the thoroughness of this method or even if it was just that one infection. The process used for removing the Launchpage.org browser hijack can be found at:



https://www.bleepingcomputer.com/virus-removal/remove-launchpage.org-home-page-hijacker



It uses a combination of no less than 5 removal tools, some of which I had heard of but most not. Any thoughts or further advice would be most appreciated.

Bleepingcomputer.com is a site you can trust! They test a lot and usually have very accurate removal instructions.



The only thing I would add about general situations is that those guides specifically address a particular infection, but if the infection is part of a trojan, then you may still have things to fix.

Your shortcuts were also hijacked, so that is why the "infection" persisted and that does not show up in the logs. I would have to recommend that you install a trial of BullGuard and let it further clean your computer (you would need to uninstall Avast at this point, so it's really your choice).