Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search captcha redirect "unusual traffic" from my computer"


  • This topic is locked This topic is locked
14 replies to this topic

#1 Dawgmom

Dawgmom

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 04 January 2016 - 01:23 PM

HI.

 

I had posted about this issue in the "Am I Infected... ?" section and followed the instructions to clean my computer (http://www.bleepingcomputer.com/forums/t/601140/google-redirect-ivp4-with-captcha/). All seems fine but the Helper there said that I could follow the Prep Guide (starting with step 6) here and post the FRST logs just to be sure. 

 

As a side note, I notice that since cleaning, I no longer have what I think was a toolbar of some sort at the top of Google Chrome. - *Correction here. It was the Bookmarks Bar that was hidden and I can get back using the Chrome settings, sorry* And, I don't appear to be getting pop-up messages from Facebook. - *This is correct*

 

Anyway, the logs are attached. Thanks so much for all your help.

Attached Files


Edited by Dawgmom, 04 January 2016 - 01:33 PM.


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,290 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:27 AM

Posted 04 January 2016 - 01:45 PM


:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Dawgmom

Dawgmom
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 04 January 2016 - 02:54 PM

Hi, Jo.

 

MBAM didn't find anything so, there was no log created. Here is the results of the Security Check:

 

---

 

 Results of screen317's Security Check version 1.009  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Disabled!  
Windows Defender             
AVG AntiVirus Free Edition   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 60  
 Java 8 Update 66  
 Adobe Flash Player 19.0.0.226  
 Mozilla Firefox (42.0) 
 Google Chrome (47.0.2526.106) 
 Google Chrome (47.0.2526.80) 
````````Process Check: objlist.exe by Laurent````````  
 CheckPoint ZoneAlarm ZaPrivacyService.exe  
 CheckPoint ZoneAlarm zatray.exe  
 CheckPoint ZoneAlarm vsmon.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
---
 
As I said, I did follow the instructions I received from the other BC forum before moving to this one. I thought the adviser there had helped me but said to double check here. So, thanks for checking more thoroughly for me!


#4 Jo*

Jo*

  • Malware Response Team
  • 3,290 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:27 AM

Posted 04 January 2016 - 03:01 PM

Hello,
 

***


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt

 
start
CreateRestorePoint:
EmptyTemp:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> {5DF403B7-A9C3-4D91-A623-16BF1C181A43} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]
HKU\S-1-5-21-2735503292-562093371-4236257958-1001\...\Run: [AdobeBridge] => [X]
end


NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Dawgmom

Dawgmom
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 04 January 2016 - 03:12 PM

Thank you and here's the results:
 
---
 
Fix result of Farbar Recovery Scan Tool (x64) Version:31-12-2015
Ran by DawgMom (2016-01-04 15:05:59) Run:1
Running from C:\Users\DawgMom\Desktop
Loaded Profiles: DawgMom (Available Profiles: DawgMom)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
CreateRestorePoint:
EmptyTemp:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> {5DF403B7-A9C3-4D91-A623-16BF1C181A43} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]
HKU\S-1-5-21-2735503292-562093371-4236257958-1001\...\Run: [AdobeBridge] => [X]
end
*****************
 
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5DF403B7-A9C3-4D91-A623-16BF1C181A43}" => key removed successfully
HKCR\CLSID\{5DF403B7-A9C3-4D91-A623-16BF1C181A43} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj" => key removed successfully
ZAMSvc => service removed successfully
ZAM => service removed successfully
ZAM_Guard => service removed successfully
HKU\S-1-5-21-2735503292-562093371-4236257958-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
EmptyTemp: => 346 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 15:06:38 ====


#6 Jo*

Jo*

  • Malware Response Team
  • 3,290 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:27 AM

Posted 04 January 2016 - 03:40 PM

:step1: Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program

***


:step2: ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Dawgmom

Dawgmom
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 04 January 2016 - 04:31 PM

I have one question - do I turn off my antivirus and firewall before doing these two things?



#8 Jo*

Jo*

  • Malware Response Team
  • 3,290 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:27 AM

Posted 04 January 2016 - 04:57 PM

try the scans leaving your antivirus and firewall on

only case of problems, switch antivirus and firewall off (don't forget to switch it on when sans are finished)

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Dawgmom

Dawgmom
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 04 January 2016 - 05:58 PM

Okay. Well I had turned them off for the first (Sophos) scan. So, as I'm about to do the EEK scan, I'll turn them back on. 

 

Sophos didn't find anything and produced no log, btw.

 

Thank you.



#10 Dawgmom

Dawgmom
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 04 January 2016 - 06:27 PM

Hello again.

 

The EEK scan also found nothing but here is the result log:

 

---

 

Emsisoft Emergency Kit - Version 10.0
Last update: 1/4/2016 6:05:21 PM
User account: HP-Office\DawgMom
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 1/4/2016 6:06:24 PM
 
Scanned 76594
Found 0
 
Scan end: 1/4/2016 6:09:57 PM
Scan time: 0:03:33
 
---
 
If you don't recommend any further tests / scans, is it okay to uninstall the programs BC has had me install over the last couple of days? Or, if there's something else I need to do, please advise. 
 
Thank you again so much. I appreciate it!


#11 Jo*

Jo*

  • Malware Response Team
  • 3,290 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:27 AM

Posted 05 January 2016 - 04:21 AM

Please run the F-Secure Online Scanner
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Dawgmom

Dawgmom
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 05 January 2016 - 01:06 PM

The scan didn't take long and no harmful threats were reported so, there was no option to view any report.



#13 Jo*

Jo*

  • Malware Response Team
  • 3,290 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:27 AM

Posted 05 January 2016 - 02:00 PM

***


It Appears That Your Pc Is Now Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure :step2: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step3: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step4: Use only one anti-virus software and keep it up-to-date.

:step5: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step6: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step7: Use Strong passwords!

:step8: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 Dawgmom

Dawgmom
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 05 January 2016 - 05:04 PM

Thank you sooo much for your help!

 

:bounce:



#15 Jo*

Jo*

  • Malware Response Team
  • 3,290 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:27 AM

Posted 05 January 2016 - 05:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users