Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Wizzcaster and popups and redirects


  • This topic is locked This topic is locked
7 replies to this topic

#1 ngc1836

ngc1836

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 11 August 2016 - 08:16 PM

Sometimes when I click on web links, the browser redirects me to another suspicious web page without opening the actual link. While checking with Malwarebytes, I noticed a suspicious program called Wizzcaster, which may have been behind all of these popups and redirects. Also, when I use a search engine in Microsoft Edge, Google Chrome, or Mozilla Firefox, a suspicious toolbar appears near the top of the web page, trying to redirect me towards bogus search results pages. A common site that keeps popping up is http://tradeexchange.net/.Other programs that came with it are SpaceSoundPro, PC Speed Up, System Healer, SafeFinder, and Lucky Browse. I have run several scans using Malwarebytes and Awast! Free Antivirus, which have identified and removed some malware programs prior to this. I have deleted several folders and the files in them mainly in Program Files and Program Files (x86) folders yesterday. Does that make it harder to remove all of the malware on my computer?

 

I used Malwarebytes to search for malware and here are the results:

 

Attached File  8-11-2016 malware scan.txt   1.23KB   5 downloads

 

Here are the FRST logs:

Attached File  FRST.txt   159.56KB   5 downloads

Attached File  Addition.txt   85.24KB   3 downloads



BC AdBot (Login to Remove)

 


#2 ngc1836

ngc1836
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 11 August 2016 - 08:55 PM

Here are additional Malwarebytes logs for recently added folders in ProgramData that are suspicious. Most of the suspicious files within those folders have been quarantined by Malwarebytes.

Attached File  8-11-2016 malware scan 2.txt   1.48KB   2 downloads

Attached File  8-11-2016 malware scan 3.txt   1.23KB   0 downloads

Attached File  8-11-2016 malware scan 4.txt   2.07KB   0 downloads

Attached File  8-11-2016 malware scan 5.txt   1.18KB   0 downloads

Attached File  8-11-2016 malware scan 6.txt   1.31KB   0 downloads

Attached File  8-11-2016 malware scan 7.txt   1.11KB   1 downloads



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 12 August 2016 - 09:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3216266917-2232745514-3333557245-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
HKU\S-1-5-21-3216266917-2232745514-3333557245-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
HKU\S-1-5-21-3216266917-2232745514-3333557245-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
HKU\S-1-5-21-3216266917-2232745514-3333557245-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
HKU\S-1-5-21-3216266917-2232745514-3333557245-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
HKU\S-1-5-21-3216266917-2232745514-3333557245-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3216266917-2232745514-3333557245-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3216266917-2232745514-3333557245-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBVRmzv2pJwNObb5I2Gl0KYX7VP0-UbrqeL-RiFeRRa_zRZXN2KCR6Ays7NDfWQsrsEXumsRUylCOCkyS6ph1wnWQLQyLUNKTOgDXnttcbZvALsrum1q7VqKrOH_0SiC9GksQ5AB5TGZmKcauzwgMVTnsnzvUDrJTaS_o88iILpxBXwGRk_Vg,,&q={searchTerms}
FF HKU\S-1-5-21-3216266917-2232745514-3333557245-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
FF HKU\S-1-5-21-3216266917-2232745514-3333557245-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
CHR Extension: (Chrome Web Store Payments) - C:\Users\Henry\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-19]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
R2 iFunSoftUpdaterSvc; C:\Program Files (x86)\iFunSoft\iFunSoft Updater\iFunSoftUpdater.exe [2961216 2016-01-30] (iFunSoft)
S3 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [686592 2016-08-10] () [File not signed]
S3 cpuz137; \??\C:\Users\Henry\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X]
S3 cpuz138; \??\C:\Users\Henry\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
C:\Users\Henry\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Program Files (x86)\iFunSoft\iFunSoft Updater
C:\ProgramData\\CloudPrinter
Shortcut: C:\Users\Henry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\?hr?m? R?m?t? D?skt?p.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Henry\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Henry\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the logs and let me know if the problem persists.

#4 ngc1836

ngc1836
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 12 August 2016 - 12:34 PM

I ran the Fix function using fixlist.txt and the results are in fixlog.txt:

Attached File  Fixlog.txt   9.86KB   1 downloads

 

So far when I run my internet browsers, the strange toolbar and redirects and popups have not returned. Hopefully they will not come back after this.



#5 ngc1836

ngc1836
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 12 August 2016 - 12:50 PM

Update: When I was using Google Search on Google Chrome, the toolbar I was talking about somehow appeared again. It pretends to be a legitimate toolbar by using the same font style and layout as the normal Google Chrome toolbar.

 

Here's a screenshot of the offending toolbar that I did not install voluntarily:

Attached File  Strange Toolbar.png   200.39KB   0 downloads

 

The toolbar i'm talking about resides right above the Google website search bar. This toolbar has a back and forward button, with the forward button being enabled for some reason, a search box, a close button on its right, and worst of all copies whatever I type into the normal Google search bar and basically records my searches. It has the word "Gmail" in it, which the Google search bar also has.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 13 August 2016 - 08:40 AM

This is a first for me.

This is a good cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

If the problem persists.

Right click on the compromised tool bar. Make a note of the startup items. You may be able to save the image.

Do the same for the normal Google bar. Save the Image and check if it's the same. If not then let me know what is different.

===

#7 ngc1836

ngc1836
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 13 August 2016 - 12:13 PM

Yesterday I simply decided to reset Windows, delete everything from the hard drive, and restore my personal files from a backup before the infection. The toolbar is now gone, and no popups happen again.

 

In the future I will be more careful and avoid installing programs from untrustworthy sites. Thank you so much for your help and support.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 14 August 2016 - 07:33 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users