Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with browser redirect kb-ribaki.org, explorer.exe http://kb-ribaki.org


  • This topic is locked This topic is locked
9 replies to this topic

#1 lescobosa

lescobosa

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 03 August 2016 - 05:12 PM

McAfee is garbage and malware bytes doesn't remove it just recognizes it ive attached

 

Farbar Recovery Scan txt file with this please help

Attached Files

  • Attached File  FRST.txt   810.21KB   2 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 AM

Posted 04 August 2016 - 12:50 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SpeedZooka Scheduler] => C:\Program Files (x86)\SpeedZooka\SpeedZookaScheduler.exe
HKU\S-1-5-21-1239391399-1074437271-3852232621-1001\...\Run: [Luis] => explorer.exe hxxp://kb-ribaki.org <===== ATTENTION
HKU\S-1-5-21-1239391399-1074437271-3852232621-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1239391399-1074437271-3852232621-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://hi.ru/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1239391399-1074437271-3852232621-1001 -> DefaultScope {2039DD3E-4E72-4C20-90E7-9FD959AA7D06} URL = hxxp://www.google.com/cse?cx=partner-pub-0900663996874144:4435833467&ie=UTF-8&q={searchTerms}&sa=Search&ref=#gsc.tab=0&gsc.q={searchTerms}&gsc.page=1
SearchScopes: HKU\S-1-5-21-1239391399-1074437271-3852232621-1001 -> {2039DD3E-4E72-4C20-90E7-9FD959AA7D06} URL = hxxp://www.google.com/cse?cx=partner-pub-0900663996874144:4435833467&ie=UTF-8&q={searchTerms}&sa=Search&ref=#gsc.tab=0&gsc.q={searchTerms}&gsc.page=1
Toolbar: HKU\S-1-5-21-1239391399-1074437271-3852232621-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Luis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-01]
CHR HKU\S-1-5-21-1239391399-1074437271-3852232621-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
C:\Program Files (x86)\SpeedZooka
C:\Users\Luis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.

====

Please post the logs and include the Addition.txt file that was create by the Farbar tool.

How is the computer running now?

#3 lescobosa

lescobosa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 04 August 2016 - 05:16 PM

Thank you so much u response was quick

 
Um i haven't gotten to see if its not coming back.
every time i deleted it right through the registry it would come back but i just need to do a couple of reboots to see if it shows up so far nothing no sign of 
explorer.exe http://kb-ribaki.org 

Attached Files



#4 lescobosa

lescobosa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 04 August 2016 - 06:13 PM

I just reboted my pc its back 

 

here is the frst.txt 

 

im sure i did as instructed 

and ran malwarebytes and it picked up nothing

Attached Files

  • Attached File  FRST.txt   824.22KB   3 downloads


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 AM

Posted 05 August 2016 - 08:50 AM

Remove this process via the Control Panel > Programs > Programs and Fearures.
Torch (HKU\S-1-5-21-1239391399-1074437271-3852232621-1001\...\Torch) (Version: 47.0.0.11490 - Torch Media, Inc) <==== ATTENTION
==

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.2\ToolbarUpdater.exe
HKU\S-1-5-21-1239391399-1074437271-3852232621-1001\...\Run: [Luis] => explorer.exe hxxp://kb-ribaki.org <===== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
ProxyEnable: [S-1-5-21-1239391399-1074437271-3852232621-1001] => Proxy is enabled.
HKU\S-1-5-21-1239391399-1074437271-3852232621-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={DBAC2038-7292-4F31-B2EA-6A61AC9CDBF6}&mid=fa66af5a4fd747ccbf162c18725e7745-10e22a1ab1d99366811fa2eddba7332929d21a12&lang=en&ds=AVG&coid=avgtbavg&cmpid=0516piz&pr=fr&d=2016-08-03 19:10:25&v=4.3.2.18&pid=wtu&sg=&sap=hp
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.2\\npsitesafety.dll [No File]
FF SearchPlugin: C:\Users\Luis\AppData\Roaming\Mozilla\Firefox\Profiles\id5eyk5n.default\searchplugins\avg-secure-search.xml [2016-08-03]
R2 vToolbarUpdater40.3.2; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.2\ToolbarUpdater.exe [1309768 2016-08-03] (AVG Secure Search)
U0 SR; no ImagePath
U2 srservice; no ImagePath
Task: {0EFA8938-ADB1-4F7A-9F4F-7D6D8652DDE6} - System32\Tasks\Luis => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Luis /t REG_SZ /d "explorer.exe hxxp://kb-ribaki.org"
Task: {1FB2FFB3-D76E-422D-BBEF-226326448403} - \Microsoft\XblGameSave\XblGameSaveTask\Logon -> No File <==== ATTENTION
FirewallRules: [{E59BBBCB-8078-4170-AC9D-1843952C0741}] => (Allow) C:\Users\Luis\AppData\Local\Torch\Plugins\Hola\hola_plugin.exe
FirewallRules: [{BF18E0F9-D962-4354-937D-00DBC80BCE18}] => (Allow) C:\Users\Luis\AppData\Local\Torch\Application\torch.exe
C:\Users\Luis\AppData\Local\Torch
RemoveProxy:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Is the issue persistings?

#6 lescobosa

lescobosa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 05 August 2016 - 10:33 AM

Here is the fixlog

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 AM

Posted 05 August 2016 - 01:25 PM

Did you keep TORCH?

How is the computer running now?

#8 lescobosa

lescobosa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 05 August 2016 - 06:45 PM

no i got rid of torch like suggested its running fine no issues yet 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 AM

Posted 06 August 2016 - 06:59 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 AM

Posted 12 August 2016 - 08:22 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users