Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
32 replies to this topic

#1 Ambience

Ambience

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 11 March 2016 - 06:08 AM

Hello yet again,

 

I recently have been infected by a redirect virus wherein it opens my Chrome to scam websites.

Common ones include:

 

MMM Philippines (Investment Scam Website)

Smart New Tab (I don't know what this does, and all I know is it takes me to a page where I download something.)

 

I have tried to download FRST.exe but my Chrome fails to do so, showing me a "Failed - network error", I also did my research and I discovered that this virus or whatever you call it prevents me from downloading FRST, pretty clever.

 

So technically speaking, I need help.



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:20 AM

Posted 11 March 2016 - 09:41 AM

Hello Ambience and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop
  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

===================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.
  • on Windows Vista, 7/8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:

    createsrpoint;
    autoclean;
    emptyalltemp;
    ipconfig /flushdns;b
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

 Logs to include with next post:

RKreport.txt
zoek-results.log


Thanks

Satchfan

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 11 March 2016 - 09:22 PM

Here it is:

I was quite suprised that the Virus did not block the downloads.

 

RogueKiller:

Attached File  RKreport.txt   3.58KB   8 downloads

 

Zoek:

Attached File  zoek-results.log   17.81KB   10 downloads

 

Will be patiently waiting for your reply.



#4 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:20 AM

Posted 12 March 2016 - 04:24 AM

Nothing too bad so far so we’ll run some more scans to clean a few things up and have a better look.

===================================================

Note: Please follow these instructions in the order given.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

================================================

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt
Addition.txt


Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 13 March 2016 - 02:27 AM

AdwCleaner found nothing on my computer because I have scanned the computer before I came for help here.

 

But anyway here is my latest log:

Attached File  AdwCleanerC1.txt   2.89KB   1 downloads

 

Other logs coming in a few minutes..



#6 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 13 March 2016 - 02:40 AM

FRST can be downloaded now, thank you for that.

 

The Junkware Removal Tool txt:

Attached File  JRT.txt   3.07KB   3 downloads

 

And both the FRST and Additon txt:

 

Attached File  FRST_13-03-2016_15-35-03.txt   21.71KB   5 downloads

 

Attached File  Addition_13-03-2016_15-35-03.txt   45.21KB   0 downloads

 

If I ever gave you the wrong files, please tell me as soon as possible.

The date today is March 13, 2016.

 

Will be waiting for your reply.


Edited by Ambience, 13 March 2016 - 02:40 AM.


#7 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 13 March 2016 - 02:48 AM

Ran FRST again because I am dumb and I forgot to make sure there is a checkmark next to the Addition.txt (sorry lol).

 

Here are the logs:

 

Attached File  FRST_13-03-2016_15-43-58.txt   21.91KB   2 downloads

 

Attached File  Addition_13-03-2016_15-43-58.txt   45.21KB   3 downloads



#8 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:20 AM

Posted 13 March 2016 - 05:46 AM

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool here:

C:\Users\pc\Pictures\Downloads\FRST

  • right click on FRST and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below and paste it into Notepad.


ManualProxies: 0hxxp://unblockservice.com/wpad.dat?7d5d877c1bd10bcd1d9a26c6836ef6105529385
Handler: ms-help - No CLSID Value -
2016-01-05 00:44 - 2016-01-05 00:44 - 0000000 __RSH () C:\ProgramData\autorun.inf
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.21.135\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{38216570-5DB1-45F8-A344-B0C4E252B14B}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.26.7\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.24.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3774938920-3611944914-2639708701-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\pc\AppData\Local\Google\Update\1.3.24.7\psuser.dll => No File
127.0.0.1 oscount.techsmith.com
127.0.0.1 activation.cloud.techsmith.com
Hosts:
EmptyTemp:

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

================================================

Run Security Check

Download Security Check by screen317 from here or here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

Logs to include with next post:

Fixlog.txt
CKFiles.txt
checkup.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 13 March 2016 - 07:08 AM

Here they are:

 

Attached File  ckfiles.txt   319bytes   4 downloads

 

Attached File  Fixlog.txt   4.22KB   1 downloads

 

I couldn't download SecurityCheck from both the links you provided so I downloaded it from the official BleepingComputer website, is that okay? If so, then here is the checkup text:

 

Attached File  checkup.txt   1.2KB   1 downloads

 

Will be again waiting for you reply, have a great day.

 

 



#10 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:20 AM

Posted 14 March 2016 - 03:05 AM

Thanks for the logs but can you please copy/past them into your reply and not attach them unless requested.

Thanks.

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • start Malwarebytes-Anti-Malware and update it, (“Update” tab}
  • once it is updated, click on “Scan” tab, select Threat Scan, then click Scan.
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs to include with the next post:

Mbam.txt

Can you tell me if there are any outstanding problems.

Satchfan
 


Edited by satchfan, 14 March 2016 - 03:06 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 14 March 2016 - 07:27 AM

Here you go, I'm sorry, the reason why I attach files is because I don't know how to paste the contents of scan logs in a proper format, you see that box where people put their logs in, I don't know how to do that, sorry.
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 3/14/2016
Scan Time: 7:31 PM
Logfile: Mbam.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.03.14.03
Rootkit Database: v2016.03.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7
CPU: x86
File System: NTFS
User: pc
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 376317
Time Elapsed: 33 min, 58 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 2
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SYSTEM\CONTROLSET001\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, 0http://unblockservice.com/wpad.dat?7d5d877c1bd10bcd1d9a26c6836ef6105529385, Quarantined, [3c6f6324f8a1979fbe333d48b153ab55]
Hijack.AutoConfigURL.PrxySvrRST, HKU\S-1-5-21-3774938920-3611944914-2639708701-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigUrl, http://unblockservice.com/wpad.dat?7d5d877c1bd10bcd1d9a26c6836ef6105529385, Quarantined, [a3080186debb3600612e4acdc73ced13]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#12 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 14 March 2016 - 08:06 AM

And yes, it still redirects me to rubbish and non-sensical websites.



#13 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:20 AM

Posted 14 March 2016 - 09:11 AM

Can you open Internet Explorer.

  • cilck on Tools > Internet Options
  • click on the “Connections” tab
  • click on LAN settings
  • if there is a check mark next to "Use automatic configuration script", remove the address in the box below.

Let me know how that goes.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 Ambience

Ambience
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nowhere Near Yours
  • Local time:07:20 AM

Posted 16 March 2016 - 05:34 AM

There is no check in the box next to the "Use automatic configuration script." setting.



#15 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:20 AM

Posted 16 March 2016 - 08:30 AM

Apologies; just re-read your posts and realised that it's Chrome that is the problem, (it usually is). The wosrt case scenario is that we may have to ubninstall & re-install chrome but let's try this first:

R-runun Zoek

Important : Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    chrdefaults;
    emptyalltemp;
    emptyclsid;
    autoclean;
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users