Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects in Explorer Firefox and Google. Popups everywhere


  • This topic is locked This topic is locked
19 replies to this topic

#1 Johnfavata

Johnfavata

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 18 January 2016 - 05:42 PM

Yesterday all of sudden lost control of computer. There have been redirects everywhere and it has been very difficult to even get to this point because of the redirects and pop ups. Ran the requested programs and here are the attachments.

 

Thank you so much for any help

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:43 AM

Posted 19 January 2016 - 01:23 PM

Hello 

Johnfavata

,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

 

1.

Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

One System Care

Royal Raid

Search Window


Additional instructions can be found here if needed.

 

 

2.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

3.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool .
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished...
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

Still redirecting?

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 19 January 2016 - 08:22 PM

Hello fireman4it,
 
Thank you for your help. Attached is the file requested and I am pasting the other log. Most redirects seem to be gone but I do notice when I launch Chrome it still wants to launch in yahoo which all the browsers were doing before the fix

 

Here is the address bar after chrome launches:  https://search.yahoo.com/?fr=hp-ddc-bd&type=bl-bcr-6YMG3__alt__ddc_dsssyc_bd_com

 

The default homepage for Chrome is https://www.google.com/?gws_rd=ssl. Also there is a google search bar at the top at all times now even the desktop which was not before. Again thank you for your help John
 
 
# AdwCleaner v5.030 - Logfile created 19/01/2016 at 19:52:34
# Updated 17/01/2016 by Xplode
# Database : 2016-01-19.2 [Server]
# Operating system : Windows 8.1  (x64)
# Username : John F - JOHN
# Running from : C:\Users\John F\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\John F\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmiabdepfhhiieiipmeecdmeljggmfee

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bmiabdepfhhiieiipmeecdmeljggmfee
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CD3D328-E6D8-435F-99F8-A6BC5C6C7AAE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E7A3F61-9AF4-4285-B3E6-1934A46AD719}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7CE6F25D-C85B-4040-89EF-0922C5C6C3D8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D00AA959-6B6D-4B9D-A3B0-B0EE934B9F7C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D1303224-4260-47C9-8498-3137E61A57BB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{896C118B-E30E-4079-A1D8-620D5C451BD1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B5EA72D1-E5A4-4611-8665-5DC10A287A5F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FCB96A44-A6EC-44BB-B465-CF146C22FB99}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38122A36-83B2-46B8-B39A-EC72A4614A07}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{38122A36-83B2-46B8-B39A-EC72A4614A07}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82bacdc9-afce-41ee-92f5-b54f6db45a1c}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c5ce0d8e-0300-4a17-a89c-6cc8078348ad}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2CD3D328-E6D8-435F-99F8-A6BC5C6C7AAE}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3E7A3F61-9AF4-4285-B3E6-1934A46AD719}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{7CE6F25D-C85B-4040-89EF-0922C5C6C3D8}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{82bacdc9-afce-41ee-92f5-b54f6db45a1c}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D00AA959-6B6D-4B9D-A3B0-B0EE934B9F7C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D1303224-4260-47C9-8498-3137E61A57BB}
[-] Key Deleted : HKCU\Software\Rocket Browser
[-] Key Deleted : HKCU\Software\RocketUpdater
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
[-] Key Deleted : HKU\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
[-] Key Deleted : HKU\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
[!] Key Not Deleted : HKU\S-1-5-21-2012782116-1702301767-3356681026-1001\Software\One System Care
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bleepcrawler.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\chatango.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dotomi.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.softonic.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.windfinder.com

***** [ Web browsers ] *****

[-] [C:\Users\John F\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghAdl8IU1sVFBhFcgAOTA1AF1QOIQAPBBQQEwBBIggKBQ9CRVEFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlEmSFtHL04=
[-] [C:\Users\John F\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : bmiabdepfhhiieiipmeecdmeljggmfee

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4252 bytes] ##########

Attached Files



#4 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 20 January 2016 - 06:50 AM

Good morning,

 

Just wanted to let you know when I turned computer on this morning there is some PC Driver Kit popup and asking me if I want to register for PC Driver Kit with a broom icon also along with an internet auto guide popus with a Fusion Browser. Will be home later tonight and wait for your next direction. Thank and have a great day.

 

John



#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:43 AM

Posted 20 January 2016 - 07:47 AM

1.

Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

PC Driver Kit v3.2
Fusion Browser

 

 

2.

Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
     
    malwarebytes-anti-malware-fix-now.jpg
    .
  • Click on Update Now to download the current database definitions, then click the Scan Now >> button.
    .
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button.
     
    malwarebytes-anti-malware-2-0-update-now
    .
  • The THREAT SCAN will automatically begin.
     
    malwarebytes-anti-malware-scan.jpg
    .
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
     
    malwarebytes-anti-malware-potential-thre
    .
  • To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
     
    mbam4_zps490948cc.png
    .
  • After rebooting the computer, copy and past the mbam.log in your next reply.

.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)
  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)
  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd


Additional instructions can be found here if needed.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 20 January 2016 - 03:00 PM

Hello,

 

I removed the other two programs and attached the log.

 

Thank you

Attached Files



#7 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 20 January 2016 - 03:08 PM

I did forget to note that I have not seen any more popups and the google search bar is now gone but when clicking on Chrome I am still being redirected to https://search.yahoo.com/?fr=hp-ddc-bd&type=bl-bcr-6YMG3__alt__ddc_dsssyc_bd_com

 

Just wanted to note

 

Thank again.



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:43 AM

Posted 21 January 2016 - 09:26 AM

Lets do one more check for any leftovers and get a new FRST log

 

1.

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

 

2.

Please run FRST as you did the first time you ran it. then post the new FRST.txt


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 21 January 2016 - 03:18 PM

Everything seems to be fine but again when I got to my Chrome browser it is still opening on the following page:

 

https://search.yahoo.com/?fr=hp-ddc-bd&type=bl-bcr-6YMG3__alt__ddc_dsssyc_bd_com

 

Thank you,

John

 

 

Attached Files



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:43 AM

Posted 21 January 2016 - 07:35 PM

Go ahead and uninstall Chrome and reinstall it. Make sure to let it delete everything. Then let me know how it goes.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 22 January 2016 - 05:19 PM

It will not allow me to uninstall Chrome. Shows me a box "Please close all Window in Google Chrome (including those in Windows 8 mode) and try again.

 

I do not have anything open???



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:43 AM

Posted 24 January 2016 - 03:16 PM

Start the Computer in Safemode then uninstall it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 25 January 2016 - 08:47 PM

Uninstalled Chrome in Safe mode and then re-installed and same thing still with chrome homepage:

 

https://search.yahoo.com/?fr=hp-ddc-bd&type=bl-bcr-6YMG3__alt__ddc_dsssyc_bd_com



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:43 AM

Posted 25 January 2016 - 09:35 PM

https://support.google.com/chrome/answer/95314?hl=en 

go here and set your homepage and startpage to what you want then see if it stays that way or changes back.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 25 January 2016 - 10:02 PM

This is the home page start page in settings which it was before the uninstall:

 

https://www.google.com/?gws_rd=ssl






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users