Google Search captcha redirect "unusual traffic" from my computer"

HI.

 

I had posted about this issue in the "Am I Infected... ?" section and followed the instructions to clean my computer (http://www.bleepingcomputer.com/forums/t/601140/google-redirect-ivp4-with-captcha/). All seems fine but the Helper there said that I could follow the Prep Guide (starting with step 6) here and post the FRST logs just to be sure. 

 

As a side note, I notice that since cleaning, I no longer have what I think was a toolbar of some sort at the top of Google Chrome. - *Correction here. It was the Bookmarks Bar that was hidden and I can get back using the Chrome settings, sorry* And, I don't appear to be getting pop-up messages from Facebook. - *This is correct*

 

Anyway, the logs are attached. Thanks so much for all your help.

Edited by Dawgmom, 04 January 2016 - 01:33 PM.

to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.

Please follow these guidelines:

• Read and follow the instructions in the sequence they are posted.
• print or copy & save instructions.
• back up all your private data / music / important files on another (external) drive before using our tools.
• Do not install / uninstall any applications, unless otherwise instructed.
• Use only that tools you have been instructed to use.
• Copy and Paste the log files inside your post, unless otherwise instructed.
• Ask for clarification, if you have any questions.
• Stay with this topic til you get the all clean post.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  Vista / Windows 7/8 users right-click and select Run As Administrator.

• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page.
• Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
• Double click on downloaded file. OK self extracting prompt.
• MBAR will start. Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".

With some infections, you may see two messages boxes.

• 'Could not load protection driver'. Click 'OK'.
• 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

• If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

Hi, Jo.

 

MBAM didn't find anything so, there was no log created. Here is the results of the Security Check:

 

---

 

Hello,
 

***

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt

 

start
CreateRestorePoint:
EmptyTemp:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> {5DF403B7-A9C3-4D91-A623-16BF1C181A43} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]
HKU\S-1-5-21-2735503292-562093371-4236257958-1001\...\Run: [AdobeBridge] => [X]
end

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

Download Sophos Free Virus Removal Tool and save it to your desktop.

• Double click the icon and select Run
• Click Next
• Select I accept the terms in this license agreement, then click Next twice
• Click Install
• Click Finish to launch the program
• Once the virus database has been updated click Start Scanning
• If any threats are found click Details, then View log file... (bottom left hand corner)
• Copy and paste the results in your reply
• Close the Notepad document, close the Threat Details screen, then click Start cleanup
• Click Exit to close the program

***

Emsisoft Emergency Kit

• Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
• Save EmsisoftEmergencyKit.exe to your Desktop.
• Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
  
• Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
• Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
• Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
  
• Choose Yes, then wait for EEK to finish updating.
• Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
• Wait for the scan to finish.
  
• If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
• If Emsisoft Emergency Kit asks to reboot, please do so immediately.
• The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
  
• Please Copy and Paste the contents of the scan log in your next reply.

I have one question - do I turn off my antivirus and firewall before doing these two things?

try the scans leaving your antivirus and firewall on

only case of problems, switch antivirus and firewall off (don't forget to switch it on when sans are finished)

Okay. Well I had turned them off for the first (Sophos) scan. So, as I'm about to do the EEK scan, I'll turn them back on. 

 

Sophos didn't find anything and produced no log, btw.

 

Thank you.

Hello again.

 

The EEK scan also found nothing but here is the result log:

 

---

 

Please run the F-Secure Online Scanner
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

The scan didn't take long and no harmful threats were reported so, there was no option to view any report.

***

It Appears That Your Pc Is Now Clean!

***

Clean up:

***

Right-click AdwCleaner.exe and select Run As Administrator.

• Click on the Uninstall button.
• A window will open, press the Confirm button.
• AdwCleaner will uninstall now.

***

Clean up with delfix:

• please download delfix to your desktop.
• Close all other programms and start delfix.
• Please check all the boxes and run the tool.
• delfix will now delete all found traces of our removal process

***

Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

***

Here are some Preventive tips to reduce the potential for spyware infection in the future

Browse more secure

• WOT - Know which websites to trust
  Web of Trust - this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam.

Make sure you keep your Windows OS current.

• Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
• Windows Vista / 7 users can update via
  Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).

Avoid P2P

• If you think you're using a "safe" P2P program, only the program is safe, not the data.
• You will share files from unsafe sources, and these may be infected.
• Some bad guys use P2P filesharing as an important chanel to spread their wares.

Use only one anti-virus software and keep it up-to-date.

Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

Use Strong passwords!

Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.

***

Thank you sooo much for your help!

 

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.