Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsers hijacked by viceice


  • This topic is locked This topic is locked
25 replies to this topic

#1 randomnamepicker

randomnamepicker

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 26 March 2016 - 03:24 AM

My browsers got hijacked by viceice.com after installing MemTest86 from the official website.

​Now I can't change the startpage to something else, all my addons are gone and when searching for stuff on google, a phising site sends back the results.
I'd like to get rid of this trash if possible and included FRST logs like the sticky said.

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 26 March 2016 - 04:32 AM

Hello randomnamepicker and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.
  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please run FRST again and post the new log.

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt


Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 randomnamepicker

randomnamepicker
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 26 March 2016 - 05:04 AM

Logs included.

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 26 March 2016 - 07:22 AM

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

[b]HKU\S-1-5-21-1340984194-2719139737-3105592191-1001\...\Winlogon: [Shell] C:\Users\XXXX\AppData\Roaming\taskmgr\taskmgr.exe [153448448 2016-03-23] () <==== ATTENTION
SearchScopes: HKU\S-1-5-21-1340984194-2719139737-3105592191-1001 -> DefaultScope {2039DD3E-4E72-4C20-90E7-9FD959AA7D06} URL = 
FF DefaultSearchEngine: viceice
FF SelectedSearchEngine: viceice
FF Homepage: hxxp://www.viceice.com
FF user.js: detected! => C:\Users\XXXX\AppData\Roaming\Mozilla\Firefox\Profiles\i5jtfusa.default\user.js [2016-03-23]
CHR HomePage: Default -> hxxp://www.viceice.com/
CHR StartupUrls: Default -> "hxxp://www.viceice.com/" 
CHR DefaultSearchURL: Default -> hxxp://www.google.com/?cx=partner-pub-0900663996874144%3A4435833467&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=www.viceice.com%2F&ref=&ss=
CHR DefaultSearchKeyword: Default -> viceice.com
CMD: ipconfig /flushdns
EmptyTemp:
[/b]

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyalltemp;
    emptyclsid;
    FFdefaults;
    iedefaults;
    chrdefaults;
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Logs to include with next post:

Fixlog.txt
zoek-results.log


Can you tell me the current situation

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 randomnamepicker

randomnamepicker
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 26 March 2016 - 12:36 PM

I'm having issues with Zoek (Windows 10).

At first it wouldn't start at all and had to run it in compatibility mode (Windows 7) and now it's been stuck on "Firefox fix" for 4 hours.

Also, I think I've been infected by a RAT as well cause, my cursor has been moving randomly and my browser is trolling me by sending me back to previous pages or scrolling all over the place.

Edited by randomnamepicker, 26 March 2016 - 01:00 PM.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 26 March 2016 - 01:42 PM

Zoek works fine with Winsows 10 but Firefox is infeced with viceice so it may be causing the problem.

I think the best thing is to uninstall and reinstall Firefox; this will clear out all user data and plugins. so we are starting with a fresh install of Firefox,

Stop the Zoek process in Task Manager, (Ctrl+Alt+Delete).

You can backup your bookmarks if you need to but you will need to install any addins again.

Also note down any passwords etc.

Download a new copy of Firefox from here and save it to your desktop.

How to backup your bookmarks

  • open Firefox.
  • click the “Bookmarks” menu
  • click select Show All Bookmarks
  • in the “Library” window, click the Import and Backup button and then select Backup
  • in the “Bookmarks backup filename” window that opens, choose a location to save the file, which is named Bookmarks-"date".json by default
  • once the backup has run, close all windows and check location for backup file.

Remove Firefox

  • right-click the Start button and click Control Panel
  • go to “Programs and Features” - (if your Control Panel is in “Category” view, go to “Uninstall a Program”)
  • locate Mozilla Firefox, click it to select it, and then click Uninstall.

Locate and delete the folders in red

C:\Users\XXXX\AppData\Roaming\Mozilla Firefox
C:\Program Files (x86)\\Mozilla Firefox


Reboot

Install the new copy of Firefox that you saved to the desktop.

Restore Bookmarks

  • open Firefox
  • click the “Bookmarks” menu
  • click Show All Bookmarks
  • in the “Library” window, click the “Import and Backup” button and then select Restore
  • in the “Bookmarks backup filename” window that opens, choose the location you saved the backup file to

When the restore has taken place, close all windows and try running Zoek again.

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 randomnamepicker

randomnamepicker
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 26 March 2016 - 02:42 PM

It kinda worked.

Zoek is not stuck on "Firefox Fix" anymore, now it's stuck at "Firefox Extensions".



#8 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 26 March 2016 - 06:26 PM

Weird. Can you run FRST again and send the new log.

 

Cheers

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 randomnamepicker

randomnamepicker
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 26 March 2016 - 06:43 PM

FRST logs

Attached Files



#10 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 26 March 2016 - 08:04 PM

Reset Microsoft Edge

  • open the “Settings” menu by clicking the three horizontal dots in the upper right corner of the Edge window and choose Settings
  • under “Clear browsing data”, click Choose what to clear then click Show more
  • although there are a lot of data types, select them all and click Clear
  • restart the computer.

================================================

Please download SystemLook from one of the links below and save it to your Desktop.

SystemLook (32-bit)
SystemLook (64-bit)

  • double-click SystemLook.exe to run it.
  • copy the content of the following codebox into the main textfield - please make sure you include the colon, (:), at the beginning.:

    :filefind
    * viceice*
    
    :folderfind
    *viceice*
    
    :regfind
    viceice
    
  • click the Look button to start the scan.
  • when finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 randomnamepicker

randomnamepicker
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 26 March 2016 - 08:22 PM

Syslook logs

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 26 March 2016 - 08:27 PM

It is 1:15am here, (GMT), and we put the clocks forward tonight which means that in reality it is 2:15am so I#m going to get a bit of sleep now.

Will check that and be in touch tomorrow.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 27 March 2016 - 03:15 AM

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

When you’ve done that, please delete SystemLook.txt from your desktop and run SystemLook again,
 

  • double-click SystemLook.exe to run it.
  • copy the content of the following codebox into the main textfield - please make sure you include the colon, (:), at the beginning.:
    :regfind
    viceice
    
  • click the Look button to start the scan.
  • when finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 randomnamepicker

randomnamepicker
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 27 March 2016 - 10:32 AM

Logs included

Attached Files



#15 satchfan

satchfan

  • Malware Response Team
  • 2,922 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:14 PM

Posted 27 March 2016 - 11:02 AM

Let's get rid of those.

 

Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted Windows Registry Editor Version 5.00 below to it. Don't forget to include Windows Registry Editor Version 5.00 :
 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DoNotAskAgain"=-
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2039DD3E-4E72-4C20-90E7-9FD959AA7D06}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2039DD3E-4E72-4C20-90E7-9FD959AA7D06}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2039DD3E-4E72-4C20-90E7-9FD959AA7D06}]
[HKEY_USERS\S-1-5-21-1340984194-2719139737-3105592191-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=""
[HKEY_USERS\S-1-5-21-1340984194-2719139737-3105592191-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DoNotAskAgain"=-
[-HKEY_USERS\S-1-5-21-1340984194-2719139737-3105592191-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2039DD3E-4E72-4C20-90E7-9FD959AA7D06}]
[-HKEY_USERS\S-1-5-21-1340984194-2719139737-3105592191-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2039DD3E-4E72-4C20-90E7-9FD959AA7D06}]
[-HKEY_USERS\S-1-5-21-1340984194-2719139737-3105592191-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2039DD3E-4E72-4C20-90E7-9FD959AA7D06}]

  • "Save in": Desktop
  • "File Name": delete.reg
  • "Save as Type": All files
  • click: Save

On the desktop, double-click delete.reg and allow it to run. Let it merge

Reboot and let me know how things are.

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users