Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

random website opens when I open my web browser?


  • This topic is locked This topic is locked
7 replies to this topic

#1 IBIubbletea

IBIubbletea

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 September 2014 - 03:32 PM

So today I noticed that when I start my computer and open my web browser, this random website pop ups, something to do with CMD opening it or something. The website seems like a spam/virus site. Any help? Did I get hacked? 

The site is http://gameharbor.org/



BC AdBot (Login to Remove)

 


#2 IBIubbletea

IBIubbletea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 September 2014 - 03:53 PM

FRST

Spoiler

 

Addition

Spoiler


Edited by IBIubbletea, 09 September 2014 - 03:56 PM.


#3 IBIubbletea

IBIubbletea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 September 2014 - 04:14 PM

@aharonov or anyone? I don't mean to rush, just want help.



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 10 September 2014 - 04:42 AM

How is it after the following fix?


Step 1

Please download this attached Attached File  fixlist.txt   600bytes   6 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!

#5 IBIubbletea

IBIubbletea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 10 September 2014 - 01:28 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-09-2014
Ran by Collin at 2014-09-10 10:34:53 Run:1
Running from E:\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKU\S-1-5-21-3681722377-3683664340-2270326414-1001\...\Run: [CMD] => cmd.exe /c start http://extendedunlimited.org && exit <===== ATTENTION
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CMD: type "C:\Windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat"
EmptyTemp:
*****************
 
HKU\S-1-5-21-3681722377-3683664340-2270326414-1001\Software\Microsoft\Windows\CurrentVersion\Run\\CMD => value deleted successfully.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SuggestionsURL_JSON => value deleted successfully.
 
=========  type "C:\Windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat" =========
 
@echo off
regsvr32 /s igfxDH.dll
regsvr32 /s igfxDI.dll
regsvr32 /s igfxLHM.dll
regsvr32 /s igfxCPL.cpl
regsvr32 /s igfxDTCM.dll
regsvr32 /s igfxOSP.dll
regsvr32 /s igfxexps.dll
igfxext.exe /regserver
igfxTray.exe /regserver
igfxHK.exe /regserver
start igfxEM.exe /RegServerPerUser
GfxUIEx.exe /regserver
attrib +R +H +S +A *.cui
start igfxEM.exe
start igfxTray.exe
start igfxHK.exe
del /Q {F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
 
========= End of CMD: =========
 
EmptyTemp: => Removed 693.7 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====
 
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=f6f4db1ff7fa1d4b903e99c1b8cfd0ee
# engine=20091
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-09-10 06:24:37
# local_time=2014-09-10 11:24:37 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT 
# compatibility_mode_1='Norton 360'
# compatibility_mode=3598 16777213 100 100 0 160949573 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 8628534 35168370 0 0
# scanned=250737
# found=17
# cleaned=0
# scan_time=1287
sh=65445076B7E874447DCE5BC870F3A5BD866FAB5C ft=1 fh=3d11f17b54c8d2d0 vn="a variant of Win32/Packed.VMProtect.ABD trojan" ac=I fn="C:\Users\Collin\Desktop\3DMGAME-Prison.Architect.Alpha.24c.Cracked-3DM\Prison Architect\steam_api.dll"
sh=65445076B7E874447DCE5BC870F3A5BD866FAB5C ft=1 fh=3d11f17b54c8d2d0 vn="a variant of Win32/Packed.VMProtect.ABD trojan" ac=I fn="C:\Users\Collin\Desktop\Prison Architect 22\steam_api.dll"
sh=65445076B7E874447DCE5BC870F3A5BD866FAB5C ft=1 fh=3d11f17b54c8d2d0 vn="a variant of Win32/Packed.VMProtect.ABD trojan" ac=I fn="C:\Users\Collin\Desktop\Prison Architect 23d\steam_api.dll"
sh=6F9C9C8B1A77BA4B0E680D0E43F6629E0704DC3E ft=0 fh=0000000000000000 vn="a variant of Win32/BitCoinMiner.BY potentially unsafe application" ac=I fn="D:\Desktop\cgminer-3.7.2-windows.zip"
sh=F2C2BA3BDB1F2E828C27D0C65F5CF9742B776690 ft=1 fh=a2baeb08c37cd049 vn="a variant of Win32/BitCoinMiner.BY potentially unsafe application" ac=I fn="D:\Desktop\cgminer-3.7.2-windows\cgminer-3.7.2-windows\cgminer-nogpu.exe"
sh=6B4F3E6EB3AAE1D1E9250E006C1EA18854A5BDED ft=1 fh=03f7934c7f4ba60d vn="a variant of Win32/BitCoinMiner.BJ potentially unsafe application" ac=I fn="D:\Mining Stuff\Bitcoin\bitcoin-qt.exe"
sh=7EB8BEEC49636AAE2BD754EB51A31BDC8516E721 ft=1 fh=6a73ba54031a6efe vn="a variant of Win32/BitCoinMiner.BJ potentially unsafe application" ac=I fn="D:\Mining Stuff\Bitcoin\daemon\bitcoind.exe"
sh=F2C2BA3BDB1F2E828C27D0C65F5CF9742B776690 ft=1 fh=a2baeb08c37cd049 vn="a variant of Win32/BitCoinMiner.BY potentially unsafe application" ac=I fn="D:\Mining Stuff\cgminer-3.7.2-windows\cgminer-3.7.2-windows\cgminer-nogpu.exe"
sh=E98553234F30BD3A3F17B57005B8868B5C007271 ft=1 fh=3fae01ba1d4d80f8 vn="a variant of Win32/BitCoinMiner.BJ potentially unsafe application" ac=I fn="D:\Mining Stuff\dogecoin-qt-v150-win\dogecoin-qt.exe"
sh=46ECDBF331E5E3630EB26AB7844E0312C8B87D11 ft=1 fh=d2c6382f30afb553 vn="a variant of Win32/BitCoinMiner.BJ potentially unsafe application" ac=I fn="D:\Mining Stuff\Nutcoin-Qt_Windows\nutcoin-qt.exe"
sh=3A3E80E55313535827E41A5675BAC553285FB653 ft=1 fh=7ea4ccff3fd7ddeb vn="a variant of Win32/BitCoinMiner.BJ potentially unsafe application" ac=I fn="D:\Mining Stuff\Nutcoin-Qt_Windows\nutcoind.exe"
sh=1DE5D70A411EBBF4441FD569E7427CC28A4D6B13 ft=1 fh=b572351b8a033ea9 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="E:\Downloads\ccsetup417 (1).exe"
sh=1DE5D70A411EBBF4441FD569E7427CC28A4D6B13 ft=1 fh=b572351b8a033ea9 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="E:\Downloads\ccsetup417 (2).exe"
sh=1DE5D70A411EBBF4441FD569E7427CC28A4D6B13 ft=1 fh=b572351b8a033ea9 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="E:\Downloads\ccsetup417.exe"
sh=604DD997A679DBB4BCA818F946CEB320DEE96EE6 ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.ABD trojan" ac=I fn="E:\Downloads\3DMGAME-Prison.Architect.Alpha.24c.Cracked-3DM\3DMGAME-Prison.Architect.Alpha.24c.Cracked-3DM.7z"
sh=65445076B7E874447DCE5BC870F3A5BD866FAB5C ft=1 fh=3d11f17b54c8d2d0 vn="a variant of Win32/Packed.VMProtect.ABD trojan" ac=I fn="E:\Downloads\3DMGAME-Prison.Architect.Alpha.24c.Cracked-3DM\3DMGAME-Prison.Architect.Alpha.24c.Cracked-3DM\Prison Architect\steam_api.dll"
sh=10F0341426298CFE8A09D9D28B4017910F70C6F8 ft=1 fh=b3e94e69645d32f6 vn="a variant of Win32/HackTool.Patcher.AD potentially unsafe application" ac=I fn="E:\Downloads\Sony Vegas Pro 13.0 build 290 (64 bit) Multilingual [ChingLiu]\Patch KHG\vegas.pro.13.0.(64-bit)-patch.exe"
 


#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 10 September 2014 - 01:32 PM

Ok, no active malware has been found. If everything is alright on your side then we're done.

My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!

#7 IBIubbletea

IBIubbletea
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 10 September 2014 - 01:41 PM

Seems like it is fixed, Yesterday when I checked my task manger - startup tab. I saw CMD in there, now it's gone.  

 

Thank you!



#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 10 September 2014 - 01:43 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users