Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects in Chrome/ IE / Firefox


  • Please log in to reply
24 replies to this topic

#1 obvious

obvious

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 07:01 AM

Hi

 

I am running Windows 10 technical preview so am unsure if you will be able to help.

 

I'm getting browser redirects under Chrome, IE and Firefox but scans using Avast, MBAM, Kaspersky, Bullguard, Defender, Malicious software removal tool and various other antivirus software turns up a blank.

 

Any help much appreciated.

 

Thanks :)



BC AdBot (Login to Remove)

 


#2 straightupwv

straightupwv

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 16 December 2014 - 07:07 AM

Are you hooked up to a router?  They can become infected too.  If so, try resetting it with the recessed button.  My experience is that you have to use a paper clip and hold it in for about two minutes.


Life is too short to have anything but delusional notions about yourself.


#3 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 07:19 AM

I've done a pinhole reset of the virgin media superhub but the problem remains



#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:20 PM

Posted 16 December 2014 - 07:28 AM

Could be browser shortcuts/ icons on the desktop have been hijacked. I really don't know what programs are compatible

with 10 but you can also try the ones below.

 

  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Right-click on the browser shortcut from the Taskbar, desktop and start menu, then right-click again on the browser icon as see in the below image.
taskbar-shortcuts-hijack.jpg

  1. In the Shortcut tab, in the Target field, remove the http:xxxxxx.com. Basically, there should be only the path to browser executable file. Nothing more.
    These are the default shortcut path that should be in your Target box, if thexxxxxxxx.com argument is there, then you should remove it.
  2. The xxxxxxxx represents whatever is added. There are several addresses for this type of hijack.

 

In the IE properties you should only see this C:\Program Files\Internet Explorer\iexplore.exe. Remove whatever else is on that line by highlighting and delete.

In Firefox you should only see this: C:\Program Files\Mozilla Firefox\firefox.exe for Windows 32-bit OR C:\Program Files (x86)\Mozilla Firefox\firefox.exe for Windows 64-bit

 

Example if the Target box has added url for Key-Find.....it could be one of several others.

 

key-find-com-hijack.jpg


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 08:07 AM

ADWCleaner

# AdwCleaner v4.105 - Report created 16/12/2014 at 12:57:29
# Updated 08/12/2014 by Xplode
# Database : 2014-12-13.4 [Live]
# Operating System : Windows Technical Preview  (64 bits)
# Username : Paul - WIN-KDG2VF94DT6
# Running from : C:\Users\Paul\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\ParetoLogic
Folder Deleted : C:\Program Files (x86)\ParetoLogic

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKLM\SOFTWARE\ParetoLogic

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9879.0


-\\ Mozilla Firefox v34.0.5 (x86 en-US)


-\\ Google Chrome v39.0.2171.95


-\\ Comodo Dragon v


*************************

AdwCleaner[R0].txt - [4949 octets] - [28/10/2014 00:57:17]
AdwCleaner[R1].txt - [1983 octets] - [09/12/2014 19:53:15]
AdwCleaner[R2].txt - [1006 octets] - [10/12/2014 12:08:19]
AdwCleaner[R3].txt - [1440 octets] - [16/12/2014 12:54:03]
AdwCleaner[S0].txt - [4476 octets] - [28/10/2014 00:59:35]
AdwCleaner[S1].txt - [1892 octets] - [09/12/2014 19:55:24]
AdwCleaner[S2].txt - [1067 octets] - [10/12/2014 12:10:21]
AdwCleaner[S3].txt - [1326 octets] - [16/12/2014 12:57:29]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1386 octets] ##########

 

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows Technical Preview x64
Ran by Paul on 16/12/2014 at 13:00:47.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 16/12/2014 at 13:04:56.02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Browser targets are ok

 

Problem persists



#6 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:20 PM

Posted 16 December 2014 - 08:25 AM

Have you checked the browsers for add-ons/ extensions that could cause the problem?

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Open CCleaner and click on Tools. Choose Startups. In the opened page is the list of Windows Startups and at the

top you will see buttons for each browser and Tasks. At the bottom right of that page is button when clicked will allow you

to copy and paste each of those lists of startups in your next post. Please do that.

 

Eset has a good track record for finding Adware and Malware.

 

Hold down Control and click on this link to open ESET OnlineScan in a new window.

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 08:45 AM

System
Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes    HKCU:Run    DAEMON Tools Lite    Disc Soft Ltd    "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
Yes    HKCU:Run    GoogleChromeAutoLaunch_29EBA8C2ED1206321A8B41FC997F63B8    Google Inc.    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
Yes    HKCU:Run    GoogleDriveSync    Google    "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
Yes    HKCU:Run    PeerBlock    PeerBlock, LLC    C:\Program Files\PeerBlock\peerblock.exe
Yes    HKCU:Run    Plex Media Server    Plex, Inc.    "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe"
Yes    HKCU:Run    SkyDrive    Microsoft Corporation    "C:\Users\Paul\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background /nofre
Yes    HKLM:Run    AdobeAAMUpdater-1.0    Adobe Systems Incorporated    "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
Yes    HKLM:Run    Everything        "C:\Program Files\Everything\Everything.exe" -startup
Yes    HKLM:Run    InstallerLauncher        "C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\setuplauncher.exe" /run:"C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\Installer.exe"
Yes    HKLM:Run    StartCCC    Advanced Micro Devices, Inc.    "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun

Chrome
Yes    App    Crackle    7.1.7    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibfamoapbmmmlknoopmmfofgladlinic\7.1.7_0
Yes    App    Excel Online    2.0    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\iljnkagajgfdmfnnidjijobijlfjfgnb\2.0_0
Yes    App    Findable.TV    8    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\coilmbdadihokgcfjlofkbaglekighko\8_0
Yes    App    Flixster    1.0.6    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbpjlnkjhllfgfdmieompodgaefjcfh\1.0.6_0
Yes    App    Gmail    7    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
Yes    App    Google Drive    6.3    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
Yes    App    Google Search    0.0.0.20    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
Yes    App    OneNote Online    2.0    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciniambnphakdoflgeamacamhfllbkmo\2.0_0
Yes    App    TV    1.0.12    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\beobeededemalmllhkmnkinmfembdimh\1.0.12_0
Yes    App    TV - Voozy.tv    1.2    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\flnepcgaapadgbmfkmacafjiejjhbipm\1.2_0
Yes    App    Watch TV Online - Clickplayer.tv    6.4    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\flmfboagenlcnkidkjodenlgihdbkipj\6.4_0
Yes    App    Word Online    2.0    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiombgjlkfpdpkbhfioofeeinbehmajg\2.0_0
Yes    App    YouTube    4.2.6    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
Yes    Extension    Adblock Plus    1.8.8    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.8.8_0
Yes    Extension    Application Launcher for Drive (by Google)    3.2    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh\3.2_0
Yes    Extension    Auto HD For YouTube™    6.5.1    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\koiaokdomkpjdgniimnkhgbilbjgpeak\6.5.1_0
Yes    Extension    Extensions Update Notifier    2.3.1    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlldbplhbaopldicmcoogopmkonpebjm\2.3.1_0
Yes    Extension    Google Cast    14.1113.0.4    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd\14.1113.0.4_0
Yes    Extension    Google Docs    0.7    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.7_0
Yes    Extension    Google Sheets    1.0    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.0_0
Yes    Extension    Google Slides    0.8    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.8_0
No    Extension    IDM Integration Module    6.21    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeaohhlajejodfjadcponpnjgkiikocn\6.21_0
Yes    Extension    Transmogrify for Plex    1.3.1    Default    C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdogfefgaagaledbkgeffgbjlaaplpgo\1.3.1_0

Firefox
Yes    Plugin    Google Earth Plugin    7.1.2.2041    Google    default    Firefox 34.0.5    C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
Yes    Plugin    Google Update    1.3.25.11    Google Inc.    default    Firefox 34.0.5    C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
Yes    Plugin    Microsoft Office 2013    15.0.4514.1000    Microsoft Corporation    default    Firefox 34.0.5    C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL
Yes    Plugin    Microsoft Office 2013    15.0.4545.1000    Microsoft Corporation    default    Firefox 34.0.5    C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
Yes    Plugin    VLC Web Plugin    2.1.3.0    VideoLAN    default    Firefox 34.0.5    C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll

IE
Yes    Extension    Lync Click to Call    Microsoft Corporation    C:\Program Files\Microsoft Office\Office15\OCHelper.dll
Yes    Helper    Adblock Plus for IE Browser Helper Object    Adblock Plus    C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
Yes    Helper    Adblock Plus for IE Browser Helper Object    Adblock Plus    C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
Yes    Helper    Lync Browser Helper    Microsoft Corporation    C:\Program Files\Microsoft Office\Office15\OCHelper.dll
No    Helper    Microsoft SkyDrive Pro Browser Helper    Microsoft Corporation    C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL

Tasks
Yes    Task    AdobeAAMUpdater-1.0-WIN-KDG2VF94DT6-Paul    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe -mode=scheduled
Yes    Task    AutoKMS        C:\WINDOWS\AutoKMS\AutoKMS.exe
Yes    Task    CCleanerSkipUAC    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes    Task    GoogleUpdateTaskMachineCore    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes    Task    Maxthon Update    Maxthon International ltd.    "C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe" -RunScheduledUpdate
Yes    Task    Microsoft Office 15 Sync Maintenance for WIN-KDG2VF94DT6-Paul WIN-KDG2VF94DT6    Microsoft Corporation    C:\Program Files\Microsoft Office\Office15\MsoSync.exe
Yes    Task    Optimize Start Menu Cache Files-S-1-5-21-1816526911-536648772-1566390016-1000        


Context
Yes    Directory    Add to VLC media player's Playlist    VideoLAN    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1"
Yes    Directory    GDContextMenu    Google    C:\Program Files (x86)\Google\Drive\contextmenu64.dll
Yes    Directory    Play with VLC media player    VideoLAN    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1"
Yes    Directory    SkyDriveEx    Microsoft Corporation    C:\Users\Paul\AppData\Local\Microsoft\SkyDrive\17.3.4517.1031\amd64\SkyDriveShell64.dll
Yes    File    00avast        
Yes    File    ANotepad++64        C:\Program Files (x86)\Notepad++\NppShell_06.dll
Yes    File    GDContextMenu    Google    C:\Program Files (x86)\Google\Drive\contextmenu64.dll
Yes    File    SkyDriveEx    Microsoft Corporation    C:\Users\Paul\AppData\Local\Microsoft\SkyDrive\17.3.4517.1031\amd64\SkyDriveShell64.dll
Yes    File    WinRAR    Alexander Roshal    C:\Program Files\WinRAR\rarext.dll
Yes    File    WinRAR32    Alexander Roshal    C:\Program Files\WinRAR\rarext32.dll
Yes    File    {48F45200-91E6-11CE-8A4F-0080C81A28D4}        
Yes    Folder    Search Everything...        "C:\Program Files\Everything\Everything.exe" -path "%1"
Yes    Folder    WinRAR    Alexander Roshal    C:\Program Files\WinRAR\rarext.dll
Yes    Folder    WinRAR32    Alexander Roshal    C:\Program Files\WinRAR\rarext32.dll
Yes    Folder    {48F45200-91E6-11CE-8A4F-0080C81A28D4}        

Running ESET

 

Will post results on completion. Ramen ;-)

 

Edit: Early indication of Kryptik.ATB JS trojan. Scan still running. I have not updated to current version of Java!?


Edited by obvious, 16 December 2014 - 08:48 AM.


#8 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 10:12 AM

ESET

C:\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    
C:\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    
C:\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    
C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    
C:\Users\Paul\Documents\Downloads\ccsetup500.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\DefaultAccount_ploc\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\torch\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Paul\AppData\Local\torch\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\MtkDroidTools v2.5.3\files\pwn    Android/Exploit.Lotoor.EP trojan    cleaned by deleting - quarantined
C:\Program Files (x86)\SecurityXploded\SpyBHORemover\SpyBHORemover.exe    a variant of Win32/SecurityXploded.A potentially unsafe application    deleted - quarantined
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\DefaultAccount_ploc\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\lsdb.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\DefaultAccount_ploc\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lcfdgpgampkplcnhbambpkiojdmiepic\2.0\pSSeCywjRQ.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\DefaultAccount_ploc\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\DefaultAccount_ploc\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\lsdb.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\DefaultAccount_ploc\AppData\Local\Google\Chrome\User Data\Default\Extensions\lijicndbkjoplmhnclmoahmcaffaeapp\139\aMfgGUoe.js    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined


#9 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:20 PM

Posted 16 December 2014 - 10:43 AM

This item needs more attention as to its possibly being installed on an Android phone. Then we have which came first...

the Android phone malware or the Windows malware. Do you sync or connect an Android phone to your computer?

I won't be any help in cleaning up a phone.

 

So, have you rebooted and if so....what's the good word...if any.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 10:46 AM

I believe the android 'malware' is a root tool, deliberately installed on previous android phone.

 

Rebooting



#11 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 10:52 AM

Problem persists but hey, we're getting somewhere :)


Edited by obvious, 16 December 2014 - 10:52 AM.


#12 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:20 PM

Posted 16 December 2014 - 12:04 PM

Try resetting Chrome and if the redirection/ hijacking is killed there you can reset Firefox and IE, too.

 

Google Chrome gives you the option to reset your browser settings in one easy click. In some cases, programs that you install can change your Chrome settings without your knowledge. You may see additional extensions and toolbars or a different search engine. Resetting your browser settings will reset the unwanted changes caused by installing other programs. However, your saved bookmarks and passwords will not be cleared or changed.

Reset your browser settings
  1. In the top-right corner of the browser window, click the Chrome menu
  2. Select Settings.
  3. At the bottom, click Show advanced settings.
  4. Under the section "Reset settings,” click Reset settings.
  5. In the dialog that appears, click Reset.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 12:19 PM

Reset Chrome and still getting redirects



#14 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 12:57 PM

I apologise as I probably shouldn't have done this without checking with you first but I re-ran ESET and it found some (but less) instances of the trojan. It cleaned them and things are looking positive. Redirects have been absent for several minutes. I also reset FF and IE



#15 obvious

obvious
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 December 2014 - 01:15 PM

Still getting redirects in IE. Seem reduced though the trojan may just have been laying low.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users