Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Removal Next Steps?


  • Please log in to reply
17 replies to this topic

#1 Divinevalor

Divinevalor

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 08 October 2016 - 02:15 AM

So In the past maybe 5? months I've been redirected to:

2 times aferesearchgroup.com claiming to be a charter survey (Charter doesn't know about this at all and the website is basically unlisted on google)

1 time Browser hijacker and my anti-virus/mbam were unable to find anything wrong.

 

I've run adwcleaner, jrt, and rkill to try and remove any threats..

 

Is there anything else I can do to block any potential attacks?

 

 

 

Edit: I use webroot pro and google chrome


Edited by Divinevalor, 08 October 2016 - 02:17 AM.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:13 AM

Posted 08 October 2016 - 09:16 AM

RKill will not remove a virus or malware.   The following is from Grinler's description of what RKill does and doesn't do.
 
"RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.
As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed."
Please run RKill, do not restart your computer until all of the requested scans have been run.
I know that you have already run two of the scans I'm requesting, please run these again.
Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  
 
mbam1_zps98e7fba9.png
 
3)  Click on Settings, you will see a image like the one below.
 
malware%20settings_zpsixkea5sd.png
 
When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits
 
4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.
 
5)  When the scan is complete the results will be displayed.  Click on Delete All.
 
malwarenew_zps34b58fdc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the log in your topic.
 
 

Please run AdwCleaner
 
Please download AdwCleaner and install it.
 
When AdwCleaner opens you will see an image like the one below.
 
adwcleaner11_zps48314883.png
 
Click on Scan to start the scan.
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.
 
If there are no malicious programs are found you will receive the following message.
 
adwcleaner%20111_zpsiduqrrrp.png
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.
 
 

 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.
 
Note:  The log may be very long.  You may need to break it into parts to post the whole log.
 
Post this in your topic.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by dc3, 08 October 2016 - 09:17 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:13 PM

Posted 08 October 2016 - 09:20 AM

I moved this to Am I Infected from Win 8.

Clean your browser add ons and see.

How To Disable Individual Plug-ins in Google Chrome

Now run ESET and see how it is.

cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 tealover

tealover

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester, UK
  • Local time:07:13 PM

Posted 08 October 2016 - 10:50 AM

Perhaps consider another Internet Security package.

Kaspersky Internet Security and Bitdefender are both very good and give high levels of malware protection both online and using scanners

They also block malicious websites that might itry to nject malware



#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:13 AM

Posted 08 October 2016 - 11:07 AM

Perhaps consider another Internet Security package.

Kaspersky Internet Security and Bitdefender are both very good and give high levels of malware protection both online and using scanners

They also block malicious websites that might itry to nject malware

PC Magazine compares Webroot Pro favorably to both of these antivuses.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 tealover

tealover

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester, UK
  • Local time:07:13 PM

Posted 08 October 2016 - 11:32 AM

Agreed, there is a large array  to choose from making selection difficult

I've also run Ubuntu for many years with Comodo, and this might be worthy of consideration.



#7 Divinevalor

Divinevalor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 09 October 2016 - 05:18 AM

I couldn't edit my previous post so I'll just post the logfiles here

 

 
ADWCleaner
# AdwCleaner v6.021 - Logfile created 09/10/2016 at 03:33:04
# Updated on 06/10/2016 by ToolsLib
# Database : 2016-10-07.1 [Server]
# Operating System : Windows 8.1  (X64)
# Username : Carson - CARSONSPC
# Running from : C:\Users\Carson\Downloads\AdwCleaner (1).exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Default User\AppData\Local\Pokki
[#] Folder deleted on reboot: C:\Users\Default\AppData\Local\Pokki
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
ESET
C:\Users\Carson\Downloads\ccsetup522.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted
 
C:\Users\Carson\Downloads\dfsetup221 (1).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted
 
C:\Users\Carson\Downloads\dfsetup221.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted
 
 
 
I believe both of these are CC cleaner and Defraggler respectively so I'm not sure any of these scans truly found anything ( I downloaded cc cleaner and Deraggler prior to the first 2 )
 
On a side note, I started up chrome without my antivirus on and my entire computer was lagging for a fe w seconds. Not sure if this was just a temporary thing due to all the scans and my computer catching up or what, but I just wanted to note it.

Edited by Divinevalor, 09 October 2016 - 06:01 AM.


#8 npcomplete

npcomplete

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 09 October 2016 - 07:13 AM

I have had this recently too, exactly this ad redirect to http://www.aferesearchgroup.com when visiting a certain website without AdBlockerPlus.

They detect your ISP and ask you to fill out a survey. I've also come across a similar whole papge ad redirect when visiting another website on my cellphone.

 

I too have run all the aforementioned programs but they turn up nothing. I've come to the conclusion that's because it's nothing to do with anything installed on your PC.

Here's an old article about this exact issue, but for moble ads (however, the same applies on PC)

http://readwrite.com/2014/05/15/app-redirects-mobile-spam-ads/

 

 

The Awl is not alone. These ads have been hitting websites all over, and publishers are struggling to take them down. NBC Sports had a similar problem earlier this year. The company claimed the ad product came from Google, and to remedy it, NBC blocked all mobile game ads from its mobile site.

 

Mobile ad redirects result when malicious—or maybe just faulty—JavaScript in a mobile ad runs on a Web page. When you’re browsing your favorite website and suddenly find yourself in an app store, it’s the result of a bad deep link. (Sometimes you can end up on porn sites, or even on a porn site masquerading as an app store.)

 

The best thing to probably do is to notify the admin of that site and use AdBlockPlus and/or NoScript in the meantime.

However I recommend caution with NoScript because it breaks many sites, even after whitelisting, due to deep references to other sites for javascript, so I gave it up. It requires a lot of work just to maintain and so far AB+ in Firefox has worked just fine for me.


Edited by npcomplete, 09 October 2016 - 07:21 AM.


#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:13 AM

Posted 09 October 2016 - 09:38 AM

@Devinevalor

 

Please post the rest of the requested scan logs.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 Divinevalor

Divinevalor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 09 October 2016 - 09:56 AM

All of the other scans failed to find anything so the logs are empty.

@npcomplete I was using ABP through this process and hijack was on an older site which could've been infected but one of the research redirects was on Reddit.

#11 npcomplete

npcomplete

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 09 October 2016 - 11:05 AM

All of the other scans failed to find anything so the logs are empty.

@npcomplete I was using ABP through this process and hijack was on an older site which could've been infected but one of the research redirects was on Reddit.

 

Are you using ABP on Chrome? I could be wrong, but I vaguely recall that it works differently, where it still downloads the ads but doesn't display them.

 

Also, ABP by default whitelists some things, to allow some ads and some scripts on popular sites. I have not explicly whitelisted anything in ABP for Reddit (the icon is still red), but I see that there are Google Ads right on the front page and Reddit's own "ads" (engine.a.redditmedia.com). So I will have to take back a part of my advice of being "safe" with ABP. It would require some more work to create a seperate list that really turns blocks everything, although it would probably break popular sites too


Edited by npcomplete, 09 October 2016 - 11:07 AM.


#12 Divinevalor

Divinevalor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 09 October 2016 - 12:11 PM

Yes I do use chrome and I recently (2 days ago) switched over to ublock origin as it's been catching a lot of positive attention, so hopefully it'll block things ABP seemed to not block



#13 npcomplete

npcomplete

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 10 October 2016 - 03:30 AM

uBlock Origin looks interesting. I like the lower resource usage. Thanks for the tip.



#14 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:11:13 AM

Posted 10 October 2016 - 07:29 AM

Let's see what happens while running Chrome without any extensions.

 

  • Click Start
  • Type iexplore.exe -extoff in the Search programs and files box, then press Enter
  • Check the browser behavior

Edited by dc3, 10 October 2016 - 07:30 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#15 npcomplete

npcomplete

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 11 October 2016 - 10:13 PM

I contacted the admin of a site I frequent and have whitelisted in ABP. He confirmed these ad redirects are problem they've been having, specifically the ad network they use, which is used by other major sites too. Apparantly the LA Times has been experiencing this too.

 

Also, whoever's behind the redirect to aferesearchgroup.com site seems to have change the domain to something else that begins with a "w" and has "ve" something... +researchgroup.com but it's the exact same site.  And more worrisome, I got a redirect to a scam site blockedsite877.com (one of those that states your computer is infected and to call a number).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users