Solved Been trying everything and that's just as bad as whatever I have

[TwinHeadedEagle]

Can you make some picture how it looks like?

 

[tiogegeca]

It seems to take windows 10 security configurations. It disables antivirus, firewall etc and block me from restoring. It seems to be related with Microsoft user account login. It's easy to clean it up, but it keeps coming back. I raised windows user account security notifications to the maximum, so that at least I get notified of what's being changed everytime it comes back after adware cleanings by Zemana and such. I have been denying the startup changes (check the attached startup notification picture), and this kept the notebook almost normal and free of the ads, but still with Windows 10 security changes and many configs like internet etc all blocked. It even won't let me open Office files (check the attached picture of the Office error when trying to open a Word file), probably because my microsoft user account identity isn't being recognized. Today I accepted the changes at startup and the opening of ad pages at any click came back (check 2 attached pitures), as well as the proxy server config (check the attached proxy server settings picture). Even Web.Whatsapp is prevented from working (check attached picture).

 

[tiogegeca]

I just ran FRST and Zemana again (check attached logs).

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.




Please go to: VirusTotal

• Click the Choose File button.
• Please copy/paste the following text into the 'File name:' box:
  
  

  C:\Program Files (x86)\GbPlugin\gbiehAbn.dll

• Click Open then click the Scan it! button just below.
• This will scan the file. Please be patient.
• If you get a message saying File already analyzed: click Reanalyse
• Once scanned, copy and paste the URL from your browser address bar in your next reply.

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
• Click the Scan tab, choose Threat Scan is checked and click Start Scan.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

 

[tiogegeca]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.




Please go to: VirusTotal

• Click the Choose File button.
• Please copy/paste the following text into the 'File name:' box:
  
  

  C:\Program Files (x86)\GbPlugin\gbiehAbn.dll

• Click Open then click the Scan it! button just below.
• This will scan the file. Please be patient.
• If you get a message saying File already analyzed: click Reanalyse
• Once scanned, copy and paste the URL from your browser address bar in your next reply.

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
• Click the Scan tab, choose Threat Scan is checked and click Start Scan.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

Thank you very much again TwinHeadedEagle. This file (C:\Program Files (x86)\GbPlugin\gbiehAbn.dll) is the ugly security stuff by Santander online banking in Brazil. Santander bought ABN operations in Brazil, so it is still named as ABN dll. It's obtrusively nagging but it's certainly not the cause of my problems. Here's the VIrusTotal URL: Antivirus scan for c6ff43a8522ffd18e445087be38ac38e034684653020401a10140023020b42e4 at 2016-03-03 20:51:36 UTC - VirusTotal

I will do the rest in a while.

 

[tiogegeca]

Thank you TwinHeadedEagle. The ad pages have come back (attached picture). While AntiMalWareBytes was updating (it is running now) their small windows started to pop up as adpages were being blocked. They all said that the process that was causing this is: C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe (check another picture attached)

 

[TwinHeadedEagle]

Can you scan this file on VirusTotal?

C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe

Also, please perform FRST fix and MalwareBytes scan.

 

[tiogegeca]

Thank you. Yes. Before that let me upload the 3 antimaslwarebytes logs. BTW the small windows about sysnetwk.exe is still quite active.

 

[tiogegeca]

Can you scan this file on VirusTotal?

C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe

Also, please perform FRST fix and MalwareBytes scan.

What FRST fix ?

 

[tiogegeca]

Here's the URL
Antivirus scan for a261979a454f38adb52bec36a4cfe6ed4b95e54b692491027ff0283fcb654a6b at 2016-03-03 22:48:36 UTC - VirusTotal

 

[tiogegeca]

Man, I'm sorry but I have to go now. I'll do the rest later

 

[TwinHeadedEagle]

I gave you a FRST fix to perform. Did you remove all items found by MalwareBytes? Is it finding something in new scan?

 

[tiogegeca]

Thank you very much for your attention. I used the last FRST fixlist you had sent me a few posts. I did another AntiMalWareBytes scan with correction, but it didn't detect any threats (here's the 2 logs). The small windows of antimalwarebytes (blocking sysnetwk.exe because of ad pages) keep coming up, but the ad pages too are still up. Zemana (still installed on notebook) seemed to work faster being less disturbing at correcting the same stuff. But it all comes back, like chrome resetting all the time. Gmail on Chrome is only loading as HTML. Every restart I'm asked about changes by "Exchange ActiveSync Policies Broker".

 

[tiogegeca]

Now, not even Zemana has cleaned up. Here's its log.

 

[tiogegeca]

I've done a few Zemana verifications during the day and about 5 times today it only found and deleted the same Verisign thing with a kilometric name:

HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\194F0E6B21FF4D88F99A3A2F1AE60BDC4A1BC8DD\Blob = 1400000001000000140000002B4F3D53649D5C4B725EC8CB3E37373F8732DD4C030000000100000014000000194F0E6B21FF4D88F99A3A2F1AE60BDC4A1BC8DD2000000001000000620200003082025E308201C7A003020102020900CDFC51CB74B635AE300D06092A864886F70D01010B05003047310B300906035504061302555331173015060355040A0C0E566572695369676E2C20496E632E311F301D060355040B0C16566572695369676E205472757374204E6574776F726B3020170D3135303732333032343234395A180F32313135303632393032343234395A3047310B300906035504061302555331173015060355040A0C0E566572695369676E2C20496E632E311F301D060355040B0C16566572695369676E205472757374204E6574776F726B30819F300D06092A864886F70D010101050003818D0030818902818100C992608FBCB73313AC0049551A840E6B7985A6B5B4367FCE20B96D5336FEF595C1BE358F44D68DAF3AEFA91B2AFEE63A1A7F128D62127283EEFCC976EC58558BD3C5F058D7963E1D2216C850DBF34B288682658298694D8432450CAFF2D5A36BDC6035C7B5B1746D23BB2E17EE72BEC12BC2FA9AB53091FE9B4FAA6AA831BD050203010001A350304E301D0603551D0E041604142B4F3D53649D5C4B725EC8CB3E37373F8732DD4C301F0603551D230418301680142B4F3D53649D5C4B725EC8CB3E37373F8732DD4C300C0603551D13040530030101FF300D06092A864886F70D01010B05000381810090F5D001658C36F031A6FE5A748031A210EFAB3D86ACC0E727785D34A931D6F22A3834A217C45F5B4D7F00EF513852838A17EF3A1F8F225862D3E98F89485358E230292CBAC9B21D47F34CE6430900ACF1BFA950973F47F2DE8137D2A5AA596576E1A4246A91BDFE3DE154702F4BB00206413FE7EFE7591EB874BEE7826EE382

 

[TwinHeadedEagle]

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Cleaning.
• Your PC should reboot now.
• After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

 

[tiogegeca]

# AdwCleaner v5.037 - Relatório criado 05/03/2016 às 23:09:09
# Atualizado 28/02/2016 por Xplode
# Banco de dados : 2016-03-02.1 [Servidor]
# Sistema operacional : Windows 10 Home Single Language (x64)
# Usuário : Tio - GGKVOSTROA50
# Executando de : C:\Users\Tio\Desktop\AdwCleaner.exe
# Opção : Limpar
# Apoio : ToolsLib

***** [ Serviços ] *****


***** [ Pastas ] *****

[-] Pasta Excluído : C:\Users\Tio\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen

***** [ Arquivos ] *****

[-] Arquivo Excluído : C:\Users\Tio\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage
[-] Arquivo Excluído : C:\Users\Tio\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage-journal

***** [ DLLs ] *****


***** [ Atalhos ] *****


***** [ Tarefas agendadas ] *****


***** [ Registro ] *****


***** [ Navegadores ] *****

[-] [C:\Users\Tio\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Excluído : kbfnbcaeplbcioakkpcpgfkobkghlhen
[-] [C:\Users\rogerio\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Excluído : br.ask.com

*************************

:: Chaves "Tracing" excluídas
:: Configurações Winsock restauradas

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1848 bytes] - [28/02/2016 18:52:51]
C:\AdwCleaner\AdwCleaner[C2].txt - [2173 bytes] - [29/02/2016 08:11:06]
C:\AdwCleaner\AdwCleaner[C3].txt - [2244 bytes] - [29/02/2016 09:07:21]
C:\AdwCleaner\AdwCleaner[C4].txt - [1675 bytes] - [05/03/2016 23:09:09]
C:\AdwCleaner\AdwCleaner[S1].txt - [1662 bytes] - [28/02/2016 18:48:56]
C:\AdwCleaner\AdwCleaner[S2].txt - [1975 bytes] - [29/02/2016 08:08:40]
C:\AdwCleaner\AdwCleaner[S3].txt - [2049 bytes] - [29/02/2016 09:04:58]
C:\AdwCleaner\AdwCleaner[S4].txt - [1930 bytes] - [05/03/2016 23:05:13]

########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [2040 bytes] ##########

 

[tiogegeca]

But let me tell you that Malwarebytes is still blocking malicious website from processes bys sysnetwk and chrome

 

[TwinHeadedEagle]

Can you reinstall Google Chrome and Mozilla?

Uninstall Chrome

Export your bookmarks
Import or export bookmarks - Chrome Help


Close all Chrome windows and tabs.
Go to the Start menu > Control Panel.
Click Programs and Features.
Double-click Google Chrome.
Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete your browsing data" checkbox.


Click Start, copy in search %LOCALAPPDATA%\ and remove folder Google

Download Chrome
Chrome Browser




- Uninstall Firefox (Programs and Features)

Then

Click Start, copy in search %appdata%\ Then delete folder Mozilla
Click Start, copy in search %LOCALAPPDATA%\ delete folder Mozilla

Then delete following folders:

C:\Program Files (x86)\mozilla firefox
C:\Program Files (x86)\Mozilla Maintenance Service


Restart your PC.
Then install Firefox again.

Choose the independent browser

 

[tiogegeca]

OK. Thank you. Done that. But the little windows of Malwarebytes blocking malicious websites is still quite active. Can it be something related with sha1? because that's always the first user modification that appears for me to authorize or not everytime I restart. And I've been denying it most of the times. When I do accept it doesn't change much of this situation.