Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep getting redirects & Random unknown user account!


  • This topic is locked This topic is locked
57 replies to this topic

#1 kooky500

kooky500

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 20 September 2016 - 09:52 PM

Hello,

 so unfortunately I've managed to get myself a virus that redirects me when I visit sites on Google chrome. I've also noticed that when I Right-click on Chrome or Firefox and click 'Properties -->'Security' I see a weird, unknown user account listed. A couple of times now, I've gotten an 'app was reset' message and one time I saw a command prompt open and disappear in a second.

 

I've tried nearly everything in removing this thing, and it always comes back. I haven't installed anything recently. I got the virus by clicking on a link accidentally, and a pop-up appeared and it was too late, the virus had already downloaded. Since then, I keep getting redirects to more malicious software, when I click on sites that I visit often.

 I've tried running MalwareBytes, MalwareBytes Anti-Rootkit Windows Defender, Kaspersky, Norton Power Eraser, HitmanPro, AVG, AdwCleaner, TDSSKiller, JRT, RKill, Sophos Virus Removal Tool, SecurityCheck and The Windows Repair tool from Tweaking(dot)com and nothing seems to work! I've even tried reinstalling Google Chrome & Firefox and it still comes back. Can anyone help me with this? Thanks

 

 I had previously posted a topic about this issue here: http://www.bleepingcomputer.com/forums/t/627103/redirect-virus-help-needed/page-3

 

The mysterious account names start with 'S-1-5-21' as you can see in the attached logs. The one I've noticed most often is the account: 'S-1-5-21-3059459435-627724901-1248588466-1001'

Attached Files


Edited by kooky500, 20 September 2016 - 10:13 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 PM

Posted 21 September 2016 - 01:16 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3059459435-627724901-1248588466-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Lets see what we can fin in the Registry.

Please run the Farbar Recovery Scan Tool. Enter S-1-5-21-3059459435-627724901-1248588466-1001;illus in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#3 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 21 September 2016 - 03:07 PM

Alright, here are the logs.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 PM

Posted 22 September 2016 - 09:54 AM


Lets make it simple.

Remove the User profile illus
Follow the instructions on this page
http://www.technig.com/remove-user-profile-correctly/

Restart the computer normally when done.

===

Run the Farbar search and on the Registry search box enter illus

Post the log for my review.

Let me know what problems persists.

#5 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 22 September 2016 - 10:02 AM

But, the user profile illus is mine, and it's the only account on the pc. So, how will I log into the pc if I remove that user profile?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 PM

Posted 22 September 2016 - 01:03 PM


Sorry all I had to work with are these items in your Addition.txt log.

Administrator (S-1-5-21-3059459435-627724901-1248588466-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3059459435-627724901-1248588466-503 - Limited - Disabled)
Guest (S-1-5-21-3059459435-627724901-1248588466-501 - Limited - Disabled)
illus (S-1-5-21-3059459435-627724901-1248588466-1001 - Administrator - Enabled) => C:\Users\illus


Is this the one that is causing problem?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserManager\Users\1044478]
"Sid"="S-1-5-21-3059459435-627724901-1248588466-1001"

Remove the Sid profile if you see it. Or the user 1044478.


To make sure all is removed please run the Farbar registry search and look for 1044478

Post the log for my review.

#7 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 22 September 2016 - 01:11 PM

Yeah, that's the one that seems to be causing the problem. I couldn't find the Sid profile or the user 1044478. But, here's the log from the Farbar registry search:

 

Farbar Recovery Scan Tool (x64) Version: 21-09-2016
Ran by illus (22-09-2016 12:08:54)
Running from C:\Users\illus\Downloads
Boot Mode: Normal

================== Search Registry: "1044478" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserManager\Users\1044478]

====== End of Search ======



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 PM

Posted 23 September 2016 - 08:45 AM


Run this fix.


Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserManager\Users\1044478]


Restart the computer when completed.

You can delete the fixme.reg file when done.

Is the problem persisting?

#9 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 23 September 2016 - 09:28 AM

The unknown user account is still there. However, this morning I also noticed that some of my files had some weird names. Do these file names look normal to you?

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 PM

Posted 23 September 2016 - 10:15 AM


It's only name for me.

You can Google the filename and see what you get.

Or

Submit one or two files for inspection at Virustotal.
https://www.virustotal.com/

===

Run the Registry Search with the Farbar tool and let me know if the Registry entry has been removed or not.

===


If you need to look into it further I suggest you start a new topic in the Windows 10 forum.
http://www.bleepingcomputer.com/forums/f/229/windows-10-support/
An expert with that Operating System may be able to help you better that I can. This not malware and not my forte.

#11 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 23 September 2016 - 10:27 AM

Alright, I ran the Registry Search again and this is what I got:

 

Farbar Recovery Scan Tool (x64) Version: 21-09-2016
Ran by illus (23-09-2016 09:26:13)
Running from C:\Users\illus\Downloads
Boot Mode: Normal

================== Search Registry: "1044478" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserManager\Users\1044478]

====== End of Search ======



#12 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 23 September 2016 - 02:41 PM

Okay, I just tried Google Chrome. I'm still getting redirects and pop-ups.



#13 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 23 September 2016 - 07:38 PM

The main site that I keep getting pop-ups on is a site called, mangahere.com. Could you maybe, test the site by visiting it so that I can confirm that the problem is my pc, and not the site? I'd test it myself on a another pc but, I'm not willing to assume that risk.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 PM

Posted 24 September 2016 - 08:33 AM


When I navigate to mangahere.com
I'm redirected to http://www.mangahere.co/

No pop-ups.

Which extension do you use on the link.

On which browser(s) are you getting pop-ups?

#15 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:10:40 AM

Posted 24 September 2016 - 09:16 AM

I'm getting pop-ups on Google Chrome. Right now I don't have any extensions yet because I just reinstalled Chrome, so I haven't had a chance to get any extensions yet. Before I reinstalled Chrome though, I had Adblock Plus and normal Adblock yet, still got the pop-ups. Also, I have pop-ups disabled but, these still pop-up regardless. I haven't gotten any pop-ups on Firefox yet.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users