Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi.ru Chrome redirect, all attemps to remove failed.


  • Please log in to reply
31 replies to this topic

#16 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 PM

Posted 17 January 2015 - 05:42 PM

Ok, go ahead with the other scan. :) After I would run a full scan with 360.



BC AdBot (Login to Remove)

 


#17 InstantAli3n

InstantAli3n
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 17 January 2015 - 05:58 PM

I completed the scan and got only false positives. (Steam dll game files) I don't see any logging.

 

Ok my opinion on 360 total security has changed. It's got a fantastic modern design with no baloney/bologna. I just saw the Windows Patch up function and that installed some updates that wouldn't install otherwise. Very impressed. I'll be adding this to my arsenal. It even has options to do this single threaded or multi threaded. I've never seen that before. I guess this means the single threaded scan was a process that could not be split due to the way it worked...

 

9-lab removal is somehow able to use all my cores, but not at 100%, just sporadically... Also no logging?

 

EDIT: Found it:

 

9-lab Removal Tool 1.0.0.25 BETA
9-lab.com
 
Database version: 93.27779
 
Windows 8.1 (Version 6.3, Build 0, 64-bit Edition)
Internet Explorer 9.11.9600.17498
Administrator :: ELI-PC not implemented yet
 
1/17/2015 5:29:39 PM
9lab-log-2015-01-17 (17-29-39).txt
 
Scan type: 
Objects scanned: 52680
Time Elapsed: 23 m 46 s
 
Files detected: 10
Malware.Win32.Gen.sm!s6 [C:\Program Files (x86)\Civilization V\steam_api.dll]
Malware.Win32.Gen.sm!s2 [C:\Program Files (x86)\Don't Starve\b2p.dll]
Malware.Win32.Gen.sm!s4 [C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleUpdateSetup.exe]
Malware.Win32.Gen.bot [C:\Program Files (x86)\Ubisoft\Far Cry 3 Blood Dragon\bin\ubiorbitapi_r2_loader.dll]
Malware.Win32.Gen.an!s4 [C:\Program Files (x86)\Ubisoft\Far Cry 3 Blood Dragon\bin\uplay_r1.dll]
Malware.Win32.Gen.7CE5.sm!ff [C:\Users\Administrator\Desktop\Cory\binding of isaac rebirth\The Binding of Isaac Rebirth\steamclient.dll]
Malware.Win32.Gen.sm!s5 [C:\Users\Administrator\Desktop\Cory\escapist\The_Escapists_0.792\The Escapists\steam_api.dll]
Malware.Win32.Gen.sm!s2 [C:\Users\Administrator\Desktop\Utilities\Diagnostics\MiniToolBox.exe]
Malware.Win32.Gen.sm!s4 [C:\Users\Administrator\Desktop\Utilities\Internet Applications\ChromeSetup.exe]
Malware.Win32.Gen.an [C:\Users\Administrator\Documents\BosonX 1.0.5\BosonX_v1_0_5_PC\bosonx.exe]
 
Could that google detection be corrupted? I don't see how considering I just reinstalled Google Chrome about 1 hour ago.

Edited by InstantAli3n, 17 January 2015 - 06:01 PM.


#18 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 PM

Posted 17 January 2015 - 06:01 PM

Post when the 9-Lab scan is done and tell me if you still have the same issues.



#19 InstantAli3n

InstantAli3n
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 17 January 2015 - 06:08 PM

I can't tell if it's gone or not since it may only open Hi.ru when I open chrome sometimes. It's sporadic... it may not trigger for another 24-48 hours. I don't know what determines it redirecting. As best as I can figure it will only redirect the home page if chrome has not opened in X amount of time. So I guess I will have to wait it out. I will not forget to post a final result though. I will wait 2 days to see if it happens again.


Edited by InstantAli3n, 17 January 2015 - 06:08 PM.


#20 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 PM

Posted 17 January 2015 - 06:16 PM

Ok, I would do a clean install of chrome to be sure.

 

 

Back up your bookmarks

http://www.wikihow.com/Export-Bookmarks-from-Chrome

 

 

 

Uninstall Chrome with revo portable.

http://www.revouninstaller.com/download-free-portable.php

Reboot and then get chrome from here. Chrome



#21 InstantAli3n

InstantAli3n
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 17 January 2015 - 07:04 PM

I don't use revo anymore, too bloaty. But since there is a portable version I will do it just this once (again) for the benefit of the leftovers scan.

 

EDIT: Ok, that's done. No suspicious entries left over, I deleted the 6 it found anyway.

 

I will report back in 2 days.


Edited by InstantAli3n, 17 January 2015 - 07:12 PM.


#22 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 PM

Posted 17 January 2015 - 07:22 PM

:thumbup2:



#23 InstantAli3n

InstantAli3n
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 20 January 2015 - 02:33 PM

Alright, it's been 2-3 days without the issue and I am 100% confident that it has been successfully removed! I've added all the tools and programs used to my small collection of utilities. I'm sure somewhere down the line these will help me remove another pesky virus from a customers computer that I would've otherwise formatted! Thanks. :thumbsup:



#24 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 PM

Posted 20 January 2015 - 06:33 PM

This will remove most of the tools we used here, you can book mark this page to download fresh copies of these files.  Have a good day. :guitar:

 

Update your Java Software

 

 

 

Download System Ninja To remove junk files from your machine. Get the portable version, it must be ran from inside the folder.

TooWiz Smart Defrag Obviously to defrag.

Qualys BrowserCheck To update plugins.

Safe Browsing Tool Web of trust to keep away from shady sites.

Unchecky  To avoid bundled software.

Adblock Plus  To browse the web ad free.

Malwarebytes Anti-Exploit To block Zero day attacks.

Malwarebytes | StartUpLITE To disable un-needed start ups.

 

 

 

Download DelFix by "Xplode" to your Desktop.
Right Click the tool and Run as Admin ( Xp Users Double Click)
Put a check mark next the items below:


Remove disinfection tools
Create registry backup
Purge System Restore




Now click on "Run" button.
allow the program to complete its work.
all the tools we used will be removed.
Tool will create and open a log report (DelFix.txt)
Note: The report can be located at the following location C:\DelFix.txt


Edited by InadequateInfirmity, 20 January 2015 - 06:34 PM.


#25 WhiteKnight4U

WhiteKnight4U

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 03 February 2015 - 02:43 AM

I'm having the same problems. Will follow the insturctions, hope someone can check and help me, I'm a non tech guy.



#26 WhiteKnight4U

WhiteKnight4U

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 03 February 2015 - 02:46 AM

MiniToolBox by Farbar  Version: 30-11-2014
Ran by Admin (administrator) on 03-02-2015 at 14:44:56
Running from "C:\Users\Miki\Desktop"
Microsoft Windows 8 Enterprise  (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Qualcomm Atheros AR8152 PCI-E Fast Ethernet Controller (NDIS 6.30) = Ethernet 2 (Connected)
TAP-Windows Adapter V9 = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 9" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="other_0" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : acer
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-4E-8D-F3-89
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 



#27 WhiteKnight4U

WhiteKnight4U

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 03 February 2015 - 03:00 AM

I have no idea what all this means

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 8 Enterprise x64
Ran by Admin on 03/02/2015 at 14:51:38.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\baidu security"



~~~ FireFox

Successfully deleted the following from C:\Users\Miki\AppData\Roaming\mozilla\firefox\profiles\f71iq42u.default\prefs.js

user_pref("CT3289075.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
user_pref("CT3289075.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
user_pref("CT3289075.appOptions", "{\"130065467157583925\":{\"render\":true,\"disabled\":true,\"appGuid\":\"2d2f2f16-9432-4890-9f93-624a84cf6261\",\"appClientGuid\":\"\",\"isP
user_pref("CT3289075.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
user_pref("CT3289075.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
user_pref("CT3289075.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fwww.utorrent.com%2Fhelp%2Ffaq\",\"EB_MAIN_FRAME_TITLE\":\"General%2
user_pref("CT3289075.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
user_pref("CT3289075.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
user_pref("CT3289075.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
user_pref("CT3289075.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3289075\"}");
user_pref("CT3289075.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://uTorrentControlv6.OurToolbar.com//xpi\"}");
user_pref("CT3289075.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"uTorrentControl_v6 \"}");
user_pref("CT3289075.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
user_pref("CT3289075.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data\":\"2\"}");
user_pref("CT3289075_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1388285698388,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}
user_pref("extensions.betterff.surfcanyon.ramp.start_time", "1422947461288");



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 03/02/2015 at 14:57:00.32
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#28 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 PM

Posted 03 February 2015 - 03:16 AM

Start a new thread

http://www.bleepingcomputer.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=103

 

Post the logs into it. :)



#29 WhiteKnight4U

WhiteKnight4U

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 03 February 2015 - 03:26 AM

# AdwCleaner v4.109 - Report created 03/02/2015 at 15:19:42
# Updated 24/01/2015 by Xplode
# Database : 2015-02-02.1 [Live]
# Operating System : Windows 8 Enterprise  (64 bits)
# Username : Admin - ACER
# Running from : C:\Users\Miki\Desktop\adwcleaner_4.109.exe
# Option : Clean

***** [ Services ] *****

[x] Not Deleted : YahooAUService

***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16384


-\\ Mozilla Firefox v33.0.2 (x86 en-US)

[f71iq42u.default\prefs.js] - Line Deleted : user_pref("extensions.betterff.surfcanyon.ramp.start_time", "1422950960407");

-\\ Google Chrome v40.0.2214.94


*************************

AdwCleaner[R0].txt - [7593 octets] - [03/02/2015 14:05:04]
AdwCleaner[R1].txt - [1039 octets] - [03/02/2015 15:01:34]
AdwCleaner[R2].txt - [1160 octets] - [03/02/2015 15:16:43]
AdwCleaner[S0].txt - [7600 octets] - [03/02/2015 14:11:50]
AdwCleaner[S1].txt - [1114 octets] - [03/02/2015 15:05:07]
AdwCleaner[S2].txt - [1095 octets] - [03/02/2015 15:19:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1155 octets] ##########
 



#30 WhiteKnight4U

WhiteKnight4U

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 03 February 2015 - 03:44 AM

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Adware Removal Tool v3.9
Time: 2015_02_03_15_27_20
OS: Windows 8 - 64 Bit
Account Name: Admin
U0L0S21

\\\\\\\\\\\\\\\\\\\\\\\ Repair Logs \\\\\\\\\\\\\\\\\\\\\\

Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.35_0\img\signals.whitesmoke.15px.faster.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.35_0\img\signals.whitesmoke.15px.fastest.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.35_0\img\signals.whitesmoke.15px.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.35_0\img\signals.whitesmoke.png
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.40.1_0\img\signals.whitesmoke.15px.faster.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.40.1_0\img\signals.whitesmoke.15px.fastest.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.40.1_0\img\signals.whitesmoke.15px.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.40.1_0\img\signals.whitesmoke.png
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.41_0\img\signals.whitesmoke.15px.faster.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.41_0\img\signals.whitesmoke.15px.fastest.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.41_0\img\signals.whitesmoke.15px.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.41_0\img\signals.whitesmoke.png
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.44_0\img\signals.whitesmoke.15px.faster.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.44_0\img\signals.whitesmoke.15px.fastest.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.44_0\img\signals.whitesmoke.15px.gif
Deleted - File - C:\Users\Miki\Appdata\Local\Google\Chrome\User Data\Default\Extensions\oiiaigjnkhngdbnoookogelabohpglmd\2.4.44_0\img\signals.whitesmoke.png
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}:dllname
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}:masterclsid
Deleted - RegistryValueData - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}:dllname
Deleted - RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility:{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}
Deleted - RegistryKey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility:{472734EA-242A-422B-ADF8-83D1E48CC825}

\\ Finished
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users