Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wierd login prompt asking me to change to Taiwan email address


  • This topic is locked This topic is locked
4 replies to this topic

#1 derekangel

derekangel

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 29 June 2016 - 09:36 AM

Hello,

 

I have been passed through to this forum for assistance with an odd and suspicious issue.  Whenever I try to log on to a specific website, tripadvisor, I get a pop-up asking me if I want to change the email address domain from mine to seed.net.tw.  It happens using either Chrome, Firefox or Internet Explorer.  It only appears to be happening on the tripadvisor sites (I have tried the .co.uk and the .com sites - same result) but that could be because it is a tripadvisor 'thing' (I have contacted tripadvisor seeking their view - no answer yet) or because their log-in pop-up trips up something more serious - a keylogger or other.

 

I have had great assistance on the Security forum from a member who has guided me through using CCleaner, Malwarebytes, ADWcleaner, and Junkware Removal Tool, but to no avail, so he recommended I come here to seek further help.

 

I have attached the FRST.txt Attached File  FRST.txt   42.34KB   6 downloads and Addition.txt Attached File  Addition.txt   64.71KB   5 downloads files from the run through of the Farbar Recovery Scan Tool, as well as a screengrab of the suspicious pop-up Attached File  screengrab15Jun16.jpg   68.86KB   0 downloads.  Given the openness of this forum, I have tweaked usernames (only) in all three.

 

I should also note that, per above, I have pursued this with Tripadvisor,who have finally decided to assist, although it has gone nowhere other than me posting screen-shots of the occurance on both the .co.uk and .com sites.

 

Many thanks in advance for any thoughts and/or assistance.



BC AdBot (Login to Remove)

 


#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:28 PM

Posted 02 July 2016 - 04:11 AM

Hello derekangel and welcome to BleepingComputer!   :)

 

My name is Sirawit and I'm here to help you.

 

If I don't reply after 3 days, feel free to PM me.  :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right-hand corner of the topic, you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 3 days I will bump the topic, if you didn't reply in next 3 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

Based on your screenshot, I believe the popup is the legit one from Tripadvisor since I'm able to replicate that on my machine. I guessed that your domain name has a word that's similar to "seed" in it so Tripadvisor tried to guess a typo for you. So that's not a problem on your side. See the screenshot below:

 

o9oiv475hqT7VRUKMcp-o.png

 

-----------------

Did you use  Yahoo! Detect and Freecorder 8 Applications? If not please uninstall that program in Control Panel > Programs and Scan tools. 

 

Also, I found that you have disabled "Officejet 7500 E910" device and also haven't installed the driver for "Photosmart C4500 series" device. Did you perform those actions?

 

-----------------

 

From your old topic, I think we could clean something more in your machine, please follow the instructions below:

 

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
  • Note2: Since you had edited your username out, you will have to edit your name back in the fixlist file where applicable or the fix will not work.
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Attached File  fixlist.txt   1.75KB   2 downloads
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

==========

 

After the fix has been completed, please create a new FRST log for me.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 derekangel

derekangel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 05 July 2016 - 06:58 AM

Hi Sirawit,

 

thankyou for taking the time to look at my issue.  Firstly, I am relieved at your findings; that is seems to be a tripadvisor problem, not mine.  Secondly, I have downloaded your fixlist.txt file but cannot see what you are trying to do with this file.  In the absence of this, and the fact that my PC appears to be 'clean', I have decided to halt proceedings here and do nothing further.

 

Many thanks for your attention and assistance.



#4 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:28 PM

Posted 05 July 2016 - 08:21 AM

OK. Since I didn't find any serious problem in your machine anyway, it will be fine to close the topic. :)

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#5 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:07:28 PM

Posted 05 July 2016 - 08:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users