Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tricked By Turk TV? Browsers HiJacked SSL warning


  • This topic is locked This topic is locked
32 replies to this topic

#1 bonnie848

bonnie848

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 06 July 2014 - 04:40 PM

I made the mistake of installing what I believed to be a program to receive TV over the internet. It ended installing a bunch of programs, softronic I think, but no indication of TV program. Anyway, My Chrome Browser and FF Browser were both hijacked, I ran Malwarebytes and it found 66 items I have log if needed. I reset the start pages in all browsers but still get this in yellow box on google search page:

 

SSL search is off

This network has turned off SSL search, so you cannot see personalized results.

The security features of SSL search are not available. Content filtering may be in place.

Learn More | Dismiss

 

I also noticed some weird looking securtiy certificates in FF that started with Turk, some with SA (South America, I'm thinking), China, etc. I removed some, but don't know about some.

 

I cannot believe how fast this happened. One click, and pow!

Can someone help please?

 

 

 



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,658 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 06 July 2014 - 05:30 PM

Download and run Rkill. Let it kill any found processes. Do not reboot and run another Malwarebytes Scan

 

Download and run Adwcleaner.

 

Download and run Junkware Removal Tool

 

Go here run the Eset Online Scanner

 

Post back on the results.



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 AM

Posted 06 July 2014 - 05:57 PM

Only after you complete the above directions, please try these ideas - Do not click on any advertising, as these are just guides.

 

 

1. Go to Add/Remove Programs in Control Panel or Programs and Features if using Vista/Windows 7/8. From within Add/Remove Programs look for anything like your problem above and select Remove.


2. Open your browser and disable (uncheck) all extensions. Make a list first, then one by one, re-enable each extension to see if the pop-ups start appearing again with that particular extension. Once you identify the responsible extension...permanently remove it but let me know which one it was so I can update our list.
* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How To Disable Individual Plug-ins in Google Chrome <- try only if the above does not work
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer


3. If the above did not resolve the problem, then create a new browser user profile.
* How to Create a new browser user profile in Google Chrome
* How to Create a new browser user profile in Firefox
* How to Create a new browser user profile in Opera, Internet Explorer, Firefox, Chrome          



#4 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 06 July 2014 - 08:55 PM

Still waiting for eset to complete, here are the rest of the logs

 

Rkill 2.6.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/06/2014 08:41:11 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\System32\StkCSrv.exe (PID: 3056) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  ÿþ1 2 7 . 0 . 0 . 1               l o c a l h o s t
 
   : : 1               l o c a l h o s t
 
   

Program finished at: 07/06/2014 08:43:18 PM
Execution time: 0 hours(s), 2 minute(s), and 7 seconds(s)
 

***

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/6/2014
Scan Time: 8:43:59 PM
Logfile: MBLog-7-6.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.06.08
Rootkit Database: v2014.07.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: robert

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327665
Time Elapsed: 13 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

***

 

# AdwCleaner v3.214 - Report created 06/07/2014 at 21:04:25
# Updated 29/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : robert - ROBERT-HP
# Running from : C:\Users\robert\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\robert\AppData\Roaming\Settings Manager
Folder Deleted : C:\Users\robert\Documents\Updater
File Deleted : C:\Windows\System32\Tasks\LaunchApp

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}
Key Deleted : HKCU\Software\Linkey
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\WEDLMNGR
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\Users\robert\AppData\Local\Linkey\IEEXTE~1\iedll.dll
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\Users\robert\AppData\Local\Linkey\IEEXTE~1\iedll64.dll
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126


-\\ Mozilla Firefox v30.0 (en-US)

[ File : C:\Users\robert\AppData\Roaming\Mozilla\Firefox\Profiles\5mawl7ec.testx15\prefs.js ]


[ File : C:\Users\robert\AppData\Roaming\Mozilla\Firefox\Profiles\a6758pul.default-1395446646891\prefs.js ]

Line Deleted : user_pref("browser.search.defaultenginename", "default-search.net");
Line Deleted : user_pref("browser.search.order.1", "default-search.net");
Line Deleted : user_pref("browser.search.selectedEngine", "default-search.net");

-\\ Google Chrome v35.0.1916.153

*************************

AdwCleaner[R0].txt - [5112 octets] - [01/06/2014 15:22:24]
AdwCleaner[R1].txt - [5662 octets] - [06/07/2014 20:59:12]
AdwCleaner[S0].txt - [4938 octets] - [01/06/2014 15:31:02]
AdwCleaner[S1].txt - [4870 octets] - [06/07/2014 21:04:25]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [4930 octets] ##########
 

***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by robert on Sun 07/06/2014 at 21:09:04.56
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 07/06/2014 at 21:15:02.73
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

***

Forgot to mention I get this again when going to google in any browser: http://www.google.com/?gws_rd=ssl < I have the homepage set for https://www.google.com/ on all browsers.



#5 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 06 July 2014 - 09:56 PM

eset didn't find anything.



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 AM

Posted 07 July 2014 - 07:21 AM

RKill should have done this, but please recheck by running this -

 

Please run this M/soft Fixit to Reset your Hosts Files (prevents many infections)

FIXIT link

Note: If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD and then run the automatic fix on the computer that has the problem.
Click the Fix it button or link, click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.



#7 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 07 July 2014 - 08:56 AM

Noknojon, This MS Fixit did seem to fix the problem with the appended google.com address. I also should mention something I hadn't noticed before was that the top several Google searches had yellow text above them stating "AD" and those seemed to have disappeared after running the tools JohnC recommended. I hadn't really even noticed them until they were missing.

 

Anything else I should check?

 

You guys are the best. :clapping:

 

Thanks,

Bonnie



#8 JohnC_21

JohnC_21

  • Members
  • 24,658 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 07 July 2014 - 09:07 AM

Glad everything is working now for you.

 

Depending on the antivirus you are using, some of them turn off PUP (potentially unwanted program) off by default. You can enable this if there is that option.

 

I would also downlaod and install Malwarebytes Anti-Exploit. This will protect against zero day infections that use the browser to deliver their payload. There is the free version that protects you when browsing and the Pro for additional applications.



#9 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 07 July 2014 - 10:57 AM

Hi John, I'm using MSSE for AV. I think I remember reading that you shouldn't use another malware remover with it? Is there a way to protect against PUP using MSSE?

 

Everything seems to be working okay, but a little sluggish compared to before the malware. When I open Firefox there is a delay before it goes to homepage, and when I open some of my favorite programs there seems to be a delay before they open or are fully functional. Is there normal after the cleaning? 

 

Also, is there anything I should do to check out the certificates in FF and IE? I don't think Chrome uses them, right?

 

Thanks,

Bonnie



#10 JohnC_21

JohnC_21

  • Members
  • 24,658 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 07 July 2014 - 12:38 PM

Personally, I would install something other than MSE but I would let noknojon give his thoughts on that. As far as the slow down, no that is not normal and I wouldn't know how to fix that. Again, noknojon can give a better answer and possible solution than me on that.  If you open FIrefox, close it, then open it, is the delay still there?

 

There are certificates in all browsers but I would not be able to tell you which ones can or cannot be deleted or even if you should delete them.



#11 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 07 July 2014 - 01:23 PM

Yes, if I open close open. Same thing. Sometimes it seems okay...very strange.

 

So, do I need to message noknojon, or will he read this and respond?

 

Thanks,

Bonnie



#12 JohnC_21

JohnC_21

  • Members
  • 24,658 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 07 July 2014 - 01:50 PM

He's located in Austrailia so it's about 5:00AM over there now. If he does not respond just give him a PM.



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 AM

Posted 07 July 2014 - 06:32 PM

Hi -

I did in fact use your link to infect my computer, but it did not Fully hijack the browser.

 

As I have Google.com as my home page, below the (almost normal) Google Search bar was this line that showed what you seem to have. It advertised Turk TV for a price of about $49.

 

I had Reset my Home Page several times (many times) and It would not change back to a regular Google.com page. I just followed the directions I have left for Internet Explorer (as I find this to be as secure as Chrome).

 

So I left it over-night and today I have no fake line advertising Turk TV ??

I hope that constantly resetting was the reason it changed back, although I only had the single advertising line, and not a fully hijacked page it seems.



#14 bonnie848

bonnie848
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 07 July 2014 - 06:45 PM

When I tried it in installed several programs, but not TurkTV. The yellow marked ads in google search page were on the top few entries and sometimes a couple at the bottom. It was clearly marked "AD" and on the right side of the google page I would get a text box that said SSL was disabled with a link for instructions on enabling it. But it kind of went in circles; you would click the link, and it would bring you to a page, then click a link on that page, and back to the same page again. It effected all my browsers. I tried as someone suggested online, setting the homepage to http://www,google.com/ncr and this worked once or twice, but then stopped working. I went back to setting all of the homepages, newtab pages to https://www.google.com/ and after using MS Fixit link you sent me, that seemed to fix that problem as well as the yellow ad links.

 

Now, when I open Firefox for example, there is a second or two delay before the address bar completes and goes to the homepage. I'm also noticing a slight lag in starting up some of my favorite programs. I didn't understand some of the things you suggested right after JohnC had responded, but I did try TFC and I always have my computer setup for minimal display effects, preferring speed over pretty.

 

I wondered if there was anything I could do to check the certificates in the browsers to make sure I'm not opening the door to malware, and if there was anything I could check or do to improve speed.



#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:38 AM

Posted 07 July 2014 - 06:56 PM

Try this, it was the last thing I did. Clear cache and Unwanted Temp Files

 

Please download Temp File Cleaner by Old Timer, and follow directions.
Usage Instructions:

1.Download TFC from the download link above and save the file on your desktop.
2.Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
3.Double-click on the TFC icon.
4.When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
5.When done, press OK > Exit, and Reboot your computer and finish the clean-up

 

No log is given or expected.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users