Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Adcash (clickjack)


  • Please log in to reply
2 replies to this topic

#1 miles_muso

miles_muso

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 22 August 2015 - 12:53 PM

Mod Edit: Disabled posted links - Hamluis.

Hi,
 
I am infected with a clickjack virus, which changes search results, opens advertising pages, opens new browser windows and has hung my system a few times. 
 
Here is a real-time example (I'm performing these actions as I type):
 
1.  Navigate to www.*******.com (a torrent site)
2.  Hover over a download button
3. The destination address is correctly shown in the bottom left corner of the browser (ie www.torrentsite.com/location_of_torrent_file.html#)
4. Now I actually click on the download button.........
5. New browser tab opens. The name on the tab is 'redirecting......', and then it takes me to, in this case, 
 
hxxx://online-survey.website/aug8/index_11_browser.php?device=DESKTOP&isp=Sky%20Broadband&ip=176.254.54.102&os=Windows&osversion=Windows%207&browser=Chrome&voluumdata=vid..00000003-048d-4b2c-8000-000000000000__vpid..3946e800-48ef-11e5-80f7-dd8636035504__caid..c2391229-c280-4cbe-a3f1-7e85564f7f14__rt..R__lid..931faa80-93ae-4e9a-ab79-c81726520d1f__oid1..349f4b5c-892e-4d6a-887e-e6c5f38e200e__oid2..d797c409-dcef-49ed-ab19-01f3ad83d25f__var1..196931__var2..{voluum-cid}__rd..__aid..__sid..&zoneid=196931&voluum-cid={voluum-cid}&cost=0.0035]hxxx[url=http://online-survey.website/aug8/index_11_browser.php?device=DESKTOP&isp=Sky%20Broadband&ip=176.254.54.102&os=Windows&osversion=Windows%207&browser=Chrome&voluumdata=vid..00000003-048d-4b2c-8000-000000000000__vpid..3946e800-48ef-11e5-80f7-dd8636035504__caid..c2391229-c280-4cbe-a3f1-7e85564f7f14__rt..R__lid..931faa80-93ae-4e9a-ab79-c81726520d1f__oid1..349f4b5c-892e-4d6a-887e-e6c5f38e200e__oid2..d797c409-dcef-49ed-ab19-01f3ad83d25f__var1..196931__var2..{voluum-cid}__rd..__aid..__sid..&zoneid=196931&voluum-cid={voluum-cid}&cost=0.0035 online-survey.website/aug8/index_11_browser.php?device=DESKTOP&isp=Sky%20Broadband&ip=176.254.54.102&os=Windows&osversion=Windows%207&browser=Chrome&voluumdata=vid..00000003-048d-4b2c-8000-000000000000__vpid..3946e800-48ef-11e5-80f7-dd8636035504__caid..c2391229-c280-4cbe-a3f1-7e85564f7f14__rt..R__lid..931faa80-93ae-4e9a-ab79-c81726520d1f__oid1..349f4b5c-892e-4d6a-887e-e6c5f38e200e__oid2..d797c409-dcef-49ed-ab19-01f3ad83d25f__var1..196931__var2..{voluum-cid}__rd..__aid..__sid..&zoneid=196931&voluum-cid={voluum-cid}&cost=0.0035
 
Repeating stage 4 redirects to a different URL each time.  So when I do it again, I get:
 
hxxx://ext.gomovix.com/wi/lp13/index_14.php?rh=1&v=13&cid=5236&clickid=00002556p026557965226&cachecode=QHrwNyJYNJvdD9zFjn_Sag&rd=0]hxxx://ext.gomovix.com/wi/lp13/index_14.php?rh=1&v=13&cid=5236&clickid=00002556p026557965226&cachecode=QHrwNyJYNJvdD9zFjn_Sag&rd=0
 
and the next:
 
hxxx://www.bet365.com/home/FlashGen4/WebConsoleApp.asp?affiliate=365_374888&cb=10326422425]hxxx://www.bet365.com/home/FlashGen4/WebConsoleApp.asp?affiliate=365_374888&cb=10326422425
 
and so on, including a fake BSOD.
 
I have run full system scans with MBAM, SpyHunter, adwcleaner, HitmanPro and Kaspersky.  Some of these found some rogue items and deleted them, but the problem remains after reboot.
 
I have searched for programs and browser extensions that I don't recognise, using standard uninstall and IObit Uninstaller, but there's nothing I can see that looks dodgy.
 
Please advise on what to try next!
 
Many thanks, 
miles_muso


Edited by hamluis, 22 August 2015 - 01:37 PM.


BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:09:14 AM

Posted 22 August 2015 - 01:02 PM

Hello and welcome to BC,

 

SpyHunter is a rogue software. Uninstall it. 

Please read this quote from quietman7 about SpyHunter.

 

-----------------

 

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe
http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

------

 

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.

§  Right click on KVRT.exe and select Run as Administrator.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

§  Close Kaspersky Virus Removal Tool when done.

Informe me if something is detected.

-------

 

Run MBAM again:

 

§  On the Dashboard, click the 'Update Now >>' link.

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the Scan Now >> button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

§  After the restart once you are back at your desktop, open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.

-----------------

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  Click on Scan button.

§  When the scan has finished click on Clean button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[S0].txt as well.

------------------

 

Please download Junkware Removal Tool to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

-----------------


Edited by severac, 22 August 2015 - 01:05 PM.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 miles_muso

miles_muso
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 22 August 2015 - 02:10 PM

Hi Severac,

 

Thanks for your prompt reply!

 

1. rkill installed and run.  No problems.

2. Kaspersky VRT installed and run.  1 object detected and neutralised. 

 

not-a-virus:Downloader.Win32.InstallFlash.c

File: C:\Program Files (x86)\BGroom\BGroomLobby.exe
Legal software that can be used by criminals to damage your computer or personal data
    MD5:  730F0F48B186942CF561650ECF3FAE1E
    SHA256:  393C3C862E6CA1122FE327D5EE13F0227F966E91FD5800AEBBB71848AA52E097
(BGroom is a Backgammon gaming room.  I can live without, and so I have uninstalled the whole program.  I seem to remember problems started shortly after this install.  Maybe this is the culprit?
 
I'm posting this now and I'll reboot, and continue with the rest of the process.
 
Thanks again for your help so far.
 
miles





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users