Windows 10: I have contracted a Virus that shows many Ads

Junkware Removal Tool ran fast this time: it finished in 6 minutes. The LogFile is below:

Junkware Removal Tool 11-16-2015 5.08 pm.docx

I'll start working on ESET shortly.

 

Your first RKILL log

Rkill 2.8.2 by Lawrence Abrams (Grinler)
BleepingComputer.com - News, Reviews, and Technical Support
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesnt - A brief introduction to the program - Anti-Virus and Anti-Malware Software
Program started at: 11/16/2015 11:51:52 AM in x86 mode.
Windows Version: Windows 10 Home
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Defender Disabled
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Your 2nd RKILL Log

Rkill 2.8.2 by Lawrence Abrams (Grinler)
BleepingComputer.com - News, Reviews, and Technical Support
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesnt - A brief introduction to the program - Anti-Virus and Anti-Malware Software
Program started at: 11/16/2015 04:08:35 PM in x86 mode.
Windows Version: Windows 10 Home
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Defender Disabled
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001
Checking Windows Service Integrity:
* b06bdrv [Missing Service]
* ebdrv [Missing Service]
* iaLPSSi_GPIO [Missing Service]
* iaLPSSi_I2C [Missing Service]
* ibbus [Missing Service]
* ksthunk [Missing Service]
* mlx4_bus [Missing Service]
* ndfltr [Missing Service]
* PerfHost [Missing Service]
* vpci [Missing Service]
* WinMad [Missing Service]
* WinVerbs [Missing Service]

(I believe these are a glitch in the RKILL program - nothing to worry about)

* CompositeBus => \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_x86_a4832450a7024d49\CompositeBus.s ys [Incorrect ImagePath]
* gpsvc => %windir%\system32\svchost.exe -k GPSvcGroup [Incorrect ImagePath]
* NetTcpPortSharing => %systemroot%\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [Incorrect ImagePath]
* swenum => \SystemRoot\System32\DriverStore\FileRepository\swenum.inf_x86_b6707c73599dd1b6\swenum.sys [Incorrect ImagePath]

* PrintNotify => C:\WINDOWS\system32\spool\drivers\W32X86\3\PrintConfig.dll [Incorrect ServiceDLL]
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* No issues found.

Program finished at: 11/16/2015 04:10:03 PM
Execution time: 0 hours(s), 1 minute(s), and 28 seconds(s)

Your TDSSKiller log

13:29:25.0610 0x0c90 AV detected via SS2: Windows Defender, C:\Program Files\Windows Defender\MSASCui.exe ( 4.8.10240.16384 ), 0x60100 ( disabled : updated )

Your ADWCleaner log

# AdwCleaner v5.021 - Logfile created 16/11/2015 at 16:41:40
# Updated 14/11/2015 by Xplode
# Database : 2015-11-13.3 [Server]
# Operating system : Windows 10 Home (x86)
# Username : User - USER-PC
# Running from : C:\Users\User\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib
***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9563BC59-9556-4805-8CD4-886781779D8D}

So, let's see how it goes with yout JRT and ESET scans.
We may need to run Malwarebytes AntiRootkit next after them.

(I'm sorry, but you were terribly infected - once one thing got on the system, it started bringing all kinds of other stuff in. I will be interested to see your MBAM logfile.)

Instructions from BC:

Download

Malwarebytes Anti-Rootkit to your desktop.

• Double-click "mbar.exe" to start the tool.
• Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
• Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".
• When the scan is finished and no malware has been found select "Exit".
• If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
• Open the MBAR folder and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"

 

Your JRT log

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.0 (11.12.2015)
Operating System: Windows 10 Home x86
Ran by User (Administrator) on Mon 11/16/2015 at 17:06:39.26
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File System: 3
Successfully deleted: C:\Users\User\AppData\Local\installer (Folder)
Successfully deleted: C:\Users\User\Appdata\LocalLow\company (Folder)
Successfully repaired: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk (Shortcut)
Registry: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/16/2015 at 17:08:27.95
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That's good.
Now please upload your MBAM scan log. Thanks.

EDIT: I will be unavailable for about an hour now, but that should be okay because ESET will take quite a while to run.

 

When I go to Defender Desktop app, I get the following message. This doesn't seem right. Shouldn't Defender be on normally? How do I go about turning Defender on?

Also: What were you able to conclude from the several LogFiles that you reviewed?

 

As I suspected, your Windows Defender was disabled by the malware. The bulk of it is gone, but you are not clean yet.

Please post the Malwarebytes scan log so I can identify what infected you.

What scan are you on now please?

 

I just completed another Malwarebytes AM Scan. Here is the LogFile:

Malwarebytes AM 11-16-2015 6.30 pm.docx

Was the Scan Log from the Malwarebytes AM Scan I did around noon today stored somewhere?

 

Here is where you find the MBAM log files from the scans you have run:






There is a setting in MBAM you need to change so it detects Rootkits:






So, sorry, but it really needs to be run again with the Rootkit selected, and make sure the PUPs and PUMs are "treated as malware" as well.

To answer your earlier question - MBAM does not need to be turned off when running ESET; only your active AV (which in your case, Defender, is already disabled due to the infections).

And is the ESET scan running now? You should only run one scan at a time, so if ESET is running, let it finish before running MBAM again please.

 

Your current MBAM log

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 11/16/2015
Scan Time: 6:30 PM
Logfile: Malwarebytes AM 11-16-2015 6.30 pm.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.16.07
Rootkit Database: v2015.11.14.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x86
File System: NTFS
User: User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 355070
Time Elapsed: 25 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.CrossRider, HKU\S-1-5-21-4156195948-2828175874-2147720042-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{9563BC59-9556-4805-8CD4-886781779D8D}, Quarantined, [04b33c4282099a9cf540488f5da6619f],

Do you have Ghostery installed on one of your browsers? If so, when all is said and done, it may need to be reinstalled.

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)
(end)

Looking much better now, but I'd still like to see the log from the first run, thanks.

 

I was not able to access ESET from the posts that you made previously. The screen locks up so that I have to close the tab.

I'll run Malwarebytes AM now and select a root kit. This will likely take 25 minutes again.

 

What browser are you trying to run it in please?
What all browsers do you have on the system?

Okay sounds good.

EDIT: I just read your other thread, and it appears that you have only Edge and Internet Explorer, is that correct? If so, then please download and install Firefox browser, and use that to run the ESET online scanner.

 

When I go to Malwarebytes AM "History," the list there includes three or four dates from the time I first got the viruses on 11-09-2015. There are only three options offered there: I can "Restore" "Delete" or "Delete All." The question is: how do I copy all of these files so that I can put them in a document and post them to you?

Concerning running the ESET Online Scanner: can you give me a link for it? Usually, when I search for a link for an anti-virus scanner, about a dozen different websites come up. I don't know which one to choose. Additionally, I am now gun-shy since I got these viruses a few days ago.

I haven't started running the Malwarebytes AM Scanner yet; I thought I would try to send you the previous Scan Logs. The virus that infected Defender might be one of the nine that I sent you earlier.

I ran the scan, and 406 threats were listed, some as potential threats, and 9 as definite threats. I list the 9 definite threats here:
1. NowUSeeIt Player
2. RootKit.Komodia.pup
3. Trojan.Agent
4. RootKit.Agent.A
5. Trojan.Symmi
6. Adware.PennyBee.WnskRST
7. Trojan.Downloader
8. Adware.SilentInstaller
9. Adware.Imali

 

When you click on a log, it opens, and in the bottom-left there is an "Export" button. You can select "copy to clipboard" and then paste the text right in here in your next message. (You don't even have to make a doc file out of it.)

Make sure you select APPLICATION LOGS on the left and not QUARANTINE.

 

Free Virus Scan | ESET Online Scanner ESET

 

I've never used the clipboard on Windows 10; how do I find it?

I made a document for the earlier Scan Log:

Malwarebytes AM 11-16-2015 11.31 pm.docx

 

You will see the scan logs if you click APPLICATION LOGS on the top left:





Select "copy to clipboard". Then put your cursor in the answer box here, and right-click and select PASTE. That's it - the clipboard works behind the scenes - you never see it, but it's there. *Smile