Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing rocket-find hijacker.


  • Please log in to reply
6 replies to this topic

#1 toxic22

toxic22

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 14 July 2014 - 05:14 PM

Sometime yesterday my PC became infected with rocket-finder. It changed my homepage and default search engine, and I also kept getting one of those pop ups telling me my PC might be infected, and asking me to install some obviously fake anti-malware software. I reset all of my web browsers and ran Malwarebytes and SuperAntiSpyware. That seems to have fixed most of the problem, but I still get pop-ups every once in a while telling me to download some fake anti-malware because my PC might be infected. So I apparently haven't removed it completely, and I'm not sure what else I should do.



BC AdBot (Login to Remove)

 


m

#2 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 14 July 2014 - 05:24 PM

http://www.pcrisk.com/removal-guides/7821-rocket-find-com-virus

Notes:
1.  It is my opinion, that once infected, a full system reset is necessary, because there is no way to guarantee everything affected by a virus, malware, etc are completely removed.

2.  I'm unaware of the reputation of the above site, so use the procedure(s) at your own risk.

Have a great day:
:bananas: :bounce:



#3 mainer21

mainer21

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:09:50 AM

Posted 14 July 2014 - 05:57 PM

The Web site url checked out clean, but the software that they tell you to download to remove rocket-finder is "Rouge" Don't download it.

 

Malicious 
100/100

http://zulu.zscaler.com/submission/show/731e1a609b7cdff9b676b80a482f94dd-1405378274



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:50 AM

Posted 14 July 2014 - 06:41 PM

Scotty has fallen for the old 1 / 2 - Find a sucker and implant more infections.

 

First - This is a "basic clean-up" and we will go further depending on your answers.

 

Download all programs to Desktop, and Copy and Paste all logs.

 

Please download and run RKill by Grinler.
 A black DOS box will appear for a short time and then disappear.
 This is normal and indicates the tool ran successfully.
 At most the tool will usually run for about 2 minutes
 Please Copy / Paste the small log back here.

 

Important: Do not reboot your computer until you complete the next step.

 

* NOW :
 Please download AdwCleaner by Xplode and save to your Desktop.
 * Double-click on AdwCleaner.exe to run the tool.
 * Vista/Windows 7/8 users right-click and select Run As Administrator.
 * Click on the Scan button (only once)
 * AdwCleaner will begin...be patient as the scan may take some time to complete.
 * After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* Check the removals and see if you are OK with the list.

* Now
 * Click on the Clean button (only once)
 * Press OK when asked to close all programs and follow the onscreen prompts.
 * Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
 * After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
 * Copy and Paste the contents of that logfile in your next reply.

* A copy of all logfiles are also saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

Next -
Please download Junkware Removal Tool by Thisisu to desktop

Click on Run to initiate the installation.

To avoid potential conflicts, Temporarily Disable your Antivirus

You will want to be offline when you do this.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open. 
Copy and this in your next post..

 

 

Next check for the program -

NOTE : These are guides only, so they are only for reading (text credit to quietman7).

 

1. Go to Add/Remove Programs in Control Panel for XP or Programs and Features if using Vista/Windows 7/8. From within Add/Remove Programs look for anything like the above problem and select Remove.

2. Open your browser and disable (uncheck) all extensions. Make a list, then one by one, re-enable each extension to see if the pop-ups start appearing again with that particular extension. Once you identify the responsible extension...permanently remove it

* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How To Disable Individual Plug-ins in Google Chrome <- try only if the above does not work
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer


3. If the above did not resolve the problem, then create a new browser user profile.
* How to Create a new browser user profile in Google Chrome
* How to Create a new browser user profile in Firefox
* How to Create a new browser user profile in Opera, Internet Explorer, Firefox, Chrome          

 

 

Finally-

If not installed please install Malwarebytes Anti-Malware

  1. You can download download Malwarebytes Anti-Malware from the below link to your desktop.
  2. Malwarebytes Anti-Malware Link
    (This link will open a new web page from where you can download Malwarebytes Anti-Malware Free)
  3. Once downloaded, close all programs, then double-click on the icon on your desktop named “mbam-setup-consumer-2.00.xx” to start the installation of Malwarebytes Anti-Malware.
  4. When the installation begins, you will see the Malwarebytes Anti-Malware Setup Wizard which will guide you through the installation process.
  5. Once installed, Malwarebytes Anti-Malware will automatically start and you will see a message stating that you should update the program, and that a scan has never been run on your system. To start a system scan you can click on the “Fix Now” button.
  6. Alternatively, you can click on the “Scan” tab and select “Threat Scan“, then click on the “Scan Now” button.
  7. Malwarebytes Anti-Malware will now start scanning your computer for the Rocket Search entry
  8. Malwarebytes Anti-Malware will now quarantine all the malicious files and registry keys that it has found. When removing the files, Malwarebytes Anti-Malware may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot your computer, please allow it to do so.
  9. If a log is produced, please it back here.


#5 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 14 July 2014 - 06:54 PM

Thanks for the information!  I've added the sites (zscaler.com and pcrisk.com) to my blocked sites list.  My personal rules are if site "A" directs to site "B", and site "B" is bad, I block both sites "A" and "B".

 

Have a great day!

:bananas: :bounce:



#6 toxic22

toxic22
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 14 July 2014 - 07:20 PM

AdwCleaner didn't give me a log when I ran scan. It only gave me a log when I ran clean.

 

Rkill 2.6.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/14/2014 07:48:59 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 07/14/2014 07:50:24 PM
Execution time: 0 hours(s), 1 minute(s), and 24 seconds(s)
 

# AdwCleaner v3.215 - Report created 14/07/2014 at 19:55:11
# Updated 09/07/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Joseph F - JOSEPHF-PC
# Running from : C:\Users\Joseph F\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : BackupStack

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Program Files (x86)\MyPC Backup
Folder Deleted : C:\Program Files (x86)\OApps
Folder Deleted : C:\Program Files (x86)\WinZip Registry Optimizer
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Program Files\PC Optimizer Pro
Folder Deleted : C:\Users\JOSEPH~1\AppData\Local\Temp\apn
Folder Deleted : C:\Users\Joseph F\AppData\Roaming\digitalsite
Folder Deleted : C:\Users\Joseph F\AppData\Roaming\Nico Mak Computing
Folder Deleted : C:\Users\Joseph F\AppData\Roaming\RocketUpdater
Folder Deleted : C:\Users\Joseph F\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserProtect
File Deleted : C:\Users\Joseph F\daemonprocess.txt
File Deleted : C:\Windows\System32\Tasks\DigitalSite

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\updateBatBrowse_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\updateBatBrowse_RASMANCS
Key Deleted : HKLM\SOFTWARE\e6d8d8b56db841
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6A83313B-E6B5-4F18-B49D-15EBE176A8B1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6A83313B-E6B5-4F18-B49D-15EBE176A8B1}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{88CCA982-C030-4B27-8FBC-201189970FDE}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\pc optimizer pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\HappyLyrics
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17207


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Users\Joseph F\AppData\Roaming\Mozilla\Firefox\Profiles\czr6ka5h.default-1405321152728\prefs.js ]


-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [6327 octets] - [14/07/2014 03:04:45]
AdwCleaner[R1].txt - [4934 octets] - [14/07/2014 19:52:11]
AdwCleaner[S0].txt - [4823 octets] - [14/07/2014 19:55:11]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4883 octets] ##########
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Joseph F on Mon 07/14/2014 at 20:02:50.45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\APN_ATU3__RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\APN_ATU3__RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2F5641B7-68A3-D69A-8918-72A21E85F22E}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0D7C2D18-F6EA-761A-A3C6-59D596569AD0}



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 07/14/2014 at 20:12:16.35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:50 AM

Posted 14 July 2014 - 08:14 PM

Now re-scan with a Fully Updated version of Malwarebytes Anti-Malware, and please read and follow the list of links on "How To Remove Add-ons / Extensions"

 

Please post the MBAM log back here, or follow this -

Download .MalwareBytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.0.exe to start the installation of Malwarebytes Anti-Malware.
  • Follow the instructions on your screen to complete the installation. You can find the complete installation procedure here.
  • Click Scan at the top of the screen and hit Detection and Protection.
  • Choose Custom Scan and click Scan Now.
  • Check the box next to Scan for rootkits.
  • MalwareBytes Anti-Malware will now check for the latest updates. Click Update Now if new updates are available.
  • Your computer is now being scanned, please do not use your computer during the scan.
  • If no threats were found, click View detailed log.
  • Click Export and save the log as a .txt file on your Desktop or another location.

     

     

  • If the scan detected any threats, click Apply Actions. ?To complete any actions taken you will be prompted to restart your computer...click on Yes.
  • After reboot, start Malwarebytes Anti-Malware again and click the History Tab at the top and select Application Logs.
  • Check the box next to Scan Log. Choose the most current scan and click View.
  • Click Export and save the log as a .txt file on your Desktop or another location.

Providing the MalwareBytes' Anti-Malware log file.
Attach the log file you just saved to your next reply for further review.

 

 

 

Next -

Run ESET Online Scanner. Temporarily Disable your Antivirus

  • Hold down Control and click on This Link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu. to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives and Remove Threats"
  • Click Advanced settings and select the following:
    Scan potentially unwanted applications
     Scan for potentially unsafe applications
     Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • Please be patient as this will take some time. A scan time of 2 hours is not unusual.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE: Most times if ESET finds no infections it will not create a log.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users