Default browser opening by itself (outgoing trafic)

[nasdaq]

Hi,

The logs are clean.
The Hosts file and the ZoneMap were reset.

How ever a few hours after you used your computer the problem returned.

Please investigate the possibility that these .lnks are the carrier.

ultraiso.exe
UltraISO Premium
EZB Systems, Inc.

Malware scan of ultraiso.exe (UltraISO Premium) a9427da91ca66ed94807eb0f3983e9df924e37ff - herdProtect

herdProtect antiviru scan for the file ultraiso.exe (SHA-1 a9427da91ca66ed94807eb0f3983e9df924e37ff). 39 of 68 antivirus programs detected ultraiso.exe as malicious software.

www.herdprotect.com

To check without deleted these .lnk I suggest you rename by adding .old to all the shorcut links.
Such as C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\UltraISO Help.lnk.old

Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\UltraISO Help.lnk -> C:\Program Files (x86)\UltraISO\ultraiso.chm ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\UltraISO Readme.lnk -> C:\Program Files (x86)\UltraISO\Readme.txt ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\UltraISO Revision History.lnk -> C:\Program Files (x86)\UltraISO\History.txt ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\UltraISO.lnk -> C:\Program Files (x86)\UltraISO\UltraISO.exe (EZB Systems, Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\Uninstall UltraISO.lnk -> C:\Program Files (x86)\UltraISO\unins000.exe ()
Shortcut: C:\Users\Public\Desktop\UltraISO.lnk -> C:\Program Files (x86)\UltraISO\UltraISO.exe (EZB Systems, Inc.)
InternetURL: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\UltraISO Online Order.url -> URL: hxxp://www.ezbsystems.com/ultraiso/order.htm
InternetURL: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraISO\UltraISO Web Site.url -> URL: hxxp://www.ezbsystems.com/index.php


R1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [125856 2020-11-01] (Shenzhen Yibo Digital Systems Development Co., Ltd. -> EZB Systems, Inc.)
Read this, you may have to delete the file or add .old extension to stop if from executing.

What is isodrv64.sys?

Information about What is isodrv64.sys?

www.freefixer.com

<<<>>>

This shortcut can be deleted.
Shortcut: C:\Users\Vintage\Desktop\Windows Update.lnk -> C:\Windows\system32\eudcedit.ex (No File)

Restart the computer normally.
If the problem is solved I can give you a fix to remove all traces.
<<<>>>

If the problem persists have a look at your Router settings.

The only thing we did not do is to reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it

Router Passwords Community Database - The Wireless Router Experts
phenoelit-us.org
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.

How to Reset Your Frontier IP Address (4 Steps)

Resetting your Frontier Internet Protocol address is straightforward. Every time your DSL modem is rebooted, so is your IP address. Resetting your hardware helps clear its memory and will typically fix common connectivity issues. Most of the time the modem will have a new IP address assigned to...

itstillworks.com

===

Keep me posted.

 

[Vintage]

Ultra iso has nothing to do with it - every installer, if I download it, check it on the VirutsTotal website.

Besides, I recently used this ultra iso 1 time since I don't know when even. When my problem started to appear, I did not use it.

I have already re-installed the whole system many times - the problem came back every time.
I have already reset the router to factory settings many times (while formatting the computer, I wrote about it earlier and it did not help) the problem kept coming back every time.

So after 2 weeks of torment and attempts that did not solve my problem, I decided to buy a new hard drive and:

1. I disconnected the computer from the network completely (I do not have a wifi in my PC, cable was pluged off my pc)
2. I have disconnected all hard drives.
3. I took out and put the CMOS battery, RAM and Rested Bios in.
4. I Fleshed BIOS.
5. I have connected a completely new hard drive.
6. I have installed the system from a bootable USB flash drive (new - never inserted in my PC before)
7. I installed the basic drivers (Realtek, Lan, Usb from the manufacturer's board of my motherboard).
8. I installed the NVIDIA graphics driver and firefox browser - the installs were copied from my brother's computer (which is on the same home network, they were all freshly downloaded).
9. I updated my computer overnight.
10. Today on 15/11 the problem has returned.

I am an IT specialist myself and I have never dealt with something like this - no scans and restarts - of the router - the disks, the system do not work. At this point, all I can think of is: is it possible that some virus site has my IP address? and that's why this problem comes back ??? what the F$ is this with !? I have 2 other computers in my network, they are all connected the same as mine, i.e. and they dont have my problem.

My PC, PC2, PC3 = connected to a switch and this is connected to a router that provides internet access.

My PC, PC2, PC3 <-> Switch <-> Router <-> Internet

What else can I do ?
Ask to change my IP address of my ISP?

 

[Vintage]

UPDATE:

In 'Windows Firewall and Advanced Security on Local Computer' I added 1 rule for inbound and outbound traffic in tabs (Outbound Rules / Inbound Rules) blocking the IP address which I added at the beginning of this topic in the attachment. (fwcdn.png attachment in my 1 post in this topic) (see attachments outbound / inbound rules)

When 'this' $ hitstorm started (2 weeks ago), I installed the mbytes program for the first time and it blocked the outgoing traffic to the fwcdn.pl domain from the browser several times (see attachment: fwcdn.png).

After adding these rules (I do not know if I added them correctly) So far no browser opened by itself but I will wait and inform you.

I also talked to my internet provider and he said: that although I seem to have a fixed IP, it changes every now and then (the server allocates other ~~ and that he strongly doubts that 'something' connects to my computer only from outside- and 2 others in this the same network are healthy)

PLEASE consider the possibility where this 'virus' may have its source on my computer:
1. I have no external drives or foreign USB
2. I formatted my computer multiple times and bought a new disk - the virus still came back.
3. I fleshed the BIOS (2 times) - that didn't help either.
4. I have reset the Router (many times) - that didn't help either

So it turns out that this 'virus' is sitting somewhere in my computer,
where can he be? what could its location be - and how to get rid of it?

-processor?
-motherboard?

I guess only these places were left to be explored - nowhere else can the virus nest ???

 

[nasdaq]

Hi,

There is no virus or trojan on you computer.

Your IP address assigned by your provider are being ping.
If found you get the popup.

The IP address is blocked.

You can also block the domain fwcdn.pl with the HOSTS file.

Add the following line to the HOSTS file.
Leave the current information as is.

127.0.0.1 fwcdn.pl

Make sure you save the file before closing it.

===

I will leave the topic open for 6 days,
You can return if needed.

p.s.
Learn about the HOST file.

Blocking Unwanted Connections with a Hosts File

This article provides details on blocking Ads, Banners, Parasites, and Hijackers, web bugs, possibly unwanted programs etc. with a custom HOSTS file

winhelp2002.mvps.org

 

[Vintage]

Hi,

There is no virus or trojan on you computer.

Your IP address assigned by your provider are being ping.
If found you get the popup.

The IP address is blocked.

You can also block the domain fwcdn.pl with the HOSTS file.

Add the following line to the HOSTS file.
Leave the current information as is.

127.0.0.1 fwcdn.pl

Make sure you save the file before closing it.

===

I will leave the topic open for 6 days,
You can return if needed.

p.s.
Learn about the HOST file.

Blocking Unwanted Connections with a Hosts File

This article provides details on blocking Ads, Banners, Parasites, and Hijackers, web bugs, possibly unwanted programs etc. with a custom HOSTS file

winhelp2002.mvps.org

So u are 100% sure there is no chance dat wirus is on my computer?
So if i understand it what u say: there is some constant pinging my ip from some outer source???
So the only TRUE solution is: realny change my current ip adress? is dat correct what im saying?

Can u guide me how to block ping (my pc ) from outer sources (step-by-step) so no1 can ping me in future?

 

[Vintage]

Update: i cant save edited host file - (dont have permision ??! - even on admin account)

UPDATe: ok i got it - runed notepad as admin ;p

 

[Vintage]

Update: eh. default browser still opening by itself. Should i block whole imcp pinging for outbound traffic?
Will windows and other programs run properly when I do this?

Update: i done this for ipv4 for inbound and outbound traffic and browser still opening by itself sometimes 2 at once
i done this also for ipv6 for inbound traffic and browsers still opening. cant do this for outbound rules - anyway At this point i dont even know if its a correct way of proceding.

maybe i setted them in wrong way i dont know ...

 

[nasdaq]

Hi,

Edit your HOST file again.

::1 localhost

Leave a space after ::1 and edit your previous entry to:


0.0.0.0 fwcdn.pl

Save the File.

Restart the computer normally.

If the problem persists then these are pupups are being generated if some Browsers are Synced with other devices or from what is know at PUSH notification.


Malwarebytes's push notifications blog.

PUP.Optional.PushNotifications | Malwarebytes Labs

PUP.Optional.PushNotifications is Malwarebytes' detection name for a large collection of domains that deploy malicious or fraudulent web push notifications.

blog.malwarebytes.com

Folllow the instrutions.

Restart the computer normally.

If you need Malwarebytes install the Free version.

Please download Malwarebytes Anti-Malware from Malwarebytes or
from BleepingComputer

• Right-click on the MBAM icon and select Run as administrator to run the tool.[/*]
• Click Yes to accept any security warnings that may appear.[/*]
• Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.[/*]
• On the left menu pane click the Settings tab, and then select the Protection tab on the top.[/*]
• Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.[/*]
• Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button[/*]
• Note: The scan may take some time to finish, so please be patient.[/*]
• If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.[/*]
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.[/*]
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.[/*]

Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

p.s.
This program works well with Windows Defender.
In time you may decide to get the paid version. This will give you real time protection.

 

[nasdaq]

Hi,

Sorry I missed your reply.
Do you still need help?