Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Author of LuminosityLink RAT Pleads Guilty After Being Arrested Last Year

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Infected with websearch.hotsearches.info/ Browser hijacker? on chrome & Firefox

Started by Phil81 , Jan 01 2016 07:06 AM

This topic is locked

5 replies to this topic

#1 Phil81

Members
12 posts
OFFLINE

Local time:08:09 PM

Posted 01 January 2016 - 07:06 AM

My laptop seems to be infected with what seems to be a browser hijacker.

Everytime I load up eother chrome or firefox I got 2 pop up windows http://websearch.hotsearches.info/ & https://uk.search.yahoo.com/?fr=hp-ddc-bd&type=bl-bcr-6YC3K__alt__ddc_dsssyc_bd_com

it is alos making the laptop run very slow, I have attcehd the FRST & Addition reports, please let me know what else you need.

Thanks in advance.

Phil

Attached Files

Addition.txt 37.42KB 5 downloads
FRST.txt 49.64KB 11 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 nasdaq

Malware Response Team
39,202 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:04:09 PM

Posted 01 January 2016 - 10:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key

+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL =
BHO: No Name -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> No File
FF Homepage: hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggXc11ZVwtBGBhFcg1cTA1DF1cOeFpZWRRIGVdGIQheAghDEQQFIk0FA18DB0VXfWFoKB8fHHhMLlxBN1AaSFtE
FF Extension: Money Viking - C:\Users\Philip\AppData\Roaming\Mozilla\Firefox\Profiles\jxc84pq4.default-1445118433197\Extensions\{8ef52718-ef02-42dc-991a-dd0e9f7bbf20}.xpi [2015-12-07] [not signed]
CHR StartupUrls: Default -> "hxxp://websearch.hotsearches.info/?pid=24377&r=2015/06/17&hid=7435550337937497930&lg=EN&cc=GB&unqvl=90","hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggXc11ZVwtBGBhFcg1cTA1DF1cOeFpZWRRIGVdGIQheAghDEQQFIk0FA1oDB0VXfV5bFElXTwhkJU1sCVwjREZWLE1LKUwT"
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
Task: {1E5FEEDD-87BD-48C9-A368-501B943D83D8} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {519037B7-C21F-456B-81D6-CA4903B2EB37} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {5CD5581B-2E6B-4193-8FBF-57C51318283A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {607F163E-9847-4EA9-8DCF-9E5E6D3A3159} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {632DAC2B-37B0-4203-A86F-6E9213962B62} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {80BC8170-B141-4B82-A45A-5EE54CEACB38} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {94725C6D-891C-44FD-B931-A9AE1BF1D8F1} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {A343D362-4701-4C17-B396-E8CAB2D15E4A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {B0A6277A-CEA4-42F5-90CD-63443BB76B17} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {B365AE11-AC01-432D-927B-B01EFD51BCF5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {CDD99B45-A311-48EA-AFFA-B432DCC5814A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

CHR dev: Chrome dev build detected! <======= ATTENTION

Your copy of Chrome has been compromised

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants.

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

===

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.
<<<>>>

How is the computer running now?

#3 Phil81

Topic Starter

Members
12 posts
OFFLINE

Local time:08:09 PM

Posted 01 January 2016 - 11:51 AM

Fixlog posted below, the popups have stopped on both browsers, laptop restarting and booting up still a little slow, but that might be unrelated issue, Thanks

Fix result of Farbar Recovery Scan Tool (x64) Version:31-12-2015

Ran by Philip (2016-01-01 16:24:15) Run:2

Running from C:\Users\Philip\Downloads

Loaded Profiles: Philip (Available Profiles: Philip)

Boot Mode: Normal

==============================================

fixlist content:

*****************

start

CreateRestorePoint:

EmptyTemp:

CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File

ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File

ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File

ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File

ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File

ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File

ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File

ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

SearchScopes: HKLM-x32 -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL =

BHO: No Name -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> No File

FF Homepage: hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggXc11ZVwtBGBhFcg1cTA1DF1cOeFpZWRRIGVdGIQheAghDEQQFIk0FA18DB0VXfWFoKB8fHHhMLlxBN1AaSFtE

FF Extension: Money Viking - C:\Users\Philip\AppData\Roaming\Mozilla\Firefox\Profiles\jxc84pq4.default-1445118433197\Extensions\{8ef52718-ef02-42dc-991a-dd0e9f7bbf20}.xpi [2015-12-07] [not signed]

CHR StartupUrls: Default -> "hxxp://websearch.hotsearches.info/?pid=24377&r=2015/06/17&hid=7435550337937497930&lg=EN&cc=GB&unqvl=90","hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggXc11ZVwtBGBhFcg1cTA1DF1cOeFpZWRRIGVdGIQheAghDEQQFIk0FA1oDB0VXfV5bFElXTwhkJU1sCVwjREZWLE1LKUwT"

S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

Task: {1E5FEEDD-87BD-48C9-A368-501B943D83D8} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION

Task: {519037B7-C21F-456B-81D6-CA4903B2EB37} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION

Task: {5CD5581B-2E6B-4193-8FBF-57C51318283A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION

Task: {607F163E-9847-4EA9-8DCF-9E5E6D3A3159} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION

Task: {632DAC2B-37B0-4203-A86F-6E9213962B62} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION

Task: {80BC8170-B141-4B82-A45A-5EE54CEACB38} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION

Task: {94725C6D-891C-44FD-B931-A9AE1BF1D8F1} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION

Task: {A343D362-4701-4C17-B396-E8CAB2D15E4A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION

Task: {B0A6277A-CEA4-42F5-90CD-63443BB76B17} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION

Task: {B365AE11-AC01-432D-927B-B01EFD51BCF5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION

Task: {CDD99B45-A311-48EA-AFFA-B432DCC5814A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION

End

*****************

Restore point was successfully created.

Processes closed successfully.

HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => key not found.

HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => key not found.

HKCR\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => key not found.

HKCR\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => key not found.

HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => key not found.

HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => key not found.

HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => key not found.

HKCR\Wow6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => key not found.

HKCR\Wow6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => key not found.

HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => key not found.

HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.

HKLM\SOFTWARE\Policies\Google => key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} => key not found.

HKCR\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} => key not found.

FF Homepage: hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggXc11ZVwtBGBhFcg1cTA1DF1cOeFpZWRRIGVdGIQheAghDEQQFIk0FA18DB0VXfWFoKB8fHHhMLlxBN1AaSFtE => not found

C:\Users\Philip\AppData\Roaming\Mozilla\Firefox\Profiles\jxc84pq4.default-1445118433197\Extensions\{8ef52718-ef02-42dc-991a-dd0e9f7bbf20}.xpi => not found.

Chrome StartupUrls => not found.

wfpcapture => service not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1E5FEEDD-87BD-48C9-A368-501B943D83D8} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{519037B7-C21F-456B-81D6-CA4903B2EB37} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5CD5581B-2E6B-4193-8FBF-57C51318283A} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{607F163E-9847-4EA9-8DCF-9E5E6D3A3159} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{632DAC2B-37B0-4203-A86F-6E9213962B62} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80BC8170-B141-4B82-A45A-5EE54CEACB38} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{94725C6D-891C-44FD-B931-A9AE1BF1D8F1} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A343D362-4701-4C17-B396-E8CAB2D15E4A} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0A6277A-CEA4-42F5-90CD-63443BB76B17} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B365AE11-AC01-432D-927B-B01EFD51BCF5} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDD99B45-A311-48EA-AFFA-B432DCC5814A} => key not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key not found.

EmptyTemp: => 179.8 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 16:31:07 ====

#4 nasdaq

Malware Response Team
39,202 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:04:09 PM

Posted 02 January 2016 - 08:16 AM

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/us/online-scanner/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

DO NOT Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.
<<<>>>

#5 nasdaq

Malware Response Team
39,202 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:04:09 PM

Posted 07 January 2016 - 08:23 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#6 nasdaq

Malware Response Team
39,202 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:04:09 PM

Posted 13 January 2016 - 09:41 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Back to Virus, Trojan, Spyware, and Malware Removal Assistance