Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects to dnshost.me then an array of websites


  • This topic is locked This topic is locked
15 replies to this topic

#1 93ToyTruck

93ToyTruck

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 18 October 2016 - 12:26 AM

I'm using Google Chrome. Occasionally webpages are hijacked and redirected to a variety of webpages including:

rent-a-home.site
carquoteforless.com
iasrv.maha-media.com/1/?
try.thebettertab.com
www.reimageplus.com
finderbird.com
54.245.29.36
news-forever.xyz
dateforyou.top
aferesearchgroup.com
vowresearchgroup.com
mantrasurvey.com
www.drawersurvey.com
download.driversupport.com
isp.yourrewardsurveys.com
 
It happens while clicking links but Ajax seems to be more susceptible because so many requests are occurring.
The listed domains often display different or no content if you paste the url into a browser. The pages provide different content when directed there from the virus/malware. Many are customized based on my ISP.
 
I noticed that it was hitting one or more webpages before stopping at one of the domains above. One time I was able to spot the domain name of the first website which is dnshost.me . I added a host file entry for 127.0.0.1 and dnshost.me to stop the redirecting. I'm now able to see the entire url which is:

 

https: //dnshost.me/in/0174615323563/?ads=wy0z4b6cj8

 

I've tried:

Removing and reinstalling Chrome.
TDSSKiller
Rkill
Malwarebytes
HitmanPro
ADWCleaner
CCleaner
FreeFixer
SpyHunter 4
 
SpyHunter 4 came up with a long list of false positives. I checked each of items listed and they were legitimate. If it found a single text word that was a match, it called it a virus. This is a totally bogus app.
 
Log files attached. Your help is appreciated.
 
Attached File  FRST.txt   86.96KB   12 downloads
Attached File  Addition.txt   78.7KB   5 downloads

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 20 October 2016 - 01:25 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This tool is no longer supported.
Remove it via the Control Panel > Programs > Programs and Features.
HiJackThis (HKLM-x32\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3549948302-4097066653-1816923473-1000\...\Run: [AdobeBridge] => [X]
Toolbar: HKU\S-1-5-21-3549948302-4097066653-1816923473-1000 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
FF user.js: detected! => C:\Users\Phillippi\AppData\Roaming\Mozilla\Firefox\Profiles\8dxxfx9m.default\user.js [2015-08-18]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Avast Online Security) - C:\Users\Phillippi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-10-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Phillippi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-10]
CHR Extension: (Chrome Media Router) - C:\Users\Phillippi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-10]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 vpnva; system32\DRIVERS\vpnva64.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
C:\Users\Phillippi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Phillippi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
AlternateDataStreams: C:\ProgramData\Temp:C9633DEB [207]
AlternateDataStreams: C:\ProgramData\Temp:FFE0B1EF [130]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 7 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217065FF}) (Version: 7.0.650 - Oracle)
Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
Java SE Development Kit 8 Update 5 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180050}) (Version: 8.0.50 - Oracle Corporation)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)


Please post the Fixlog.txt file and let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 26 October 2016 - 09:42 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 93ToyTruck

93ToyTruck
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 27 October 2016 - 12:10 PM

I'm still getting the same behavior which is redirecting to dnshost.me/in/0174615323563/?ads=wy0z4b6cj8

 

Fixlog attached.

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 27 October 2016 - 01:31 PM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#6 93ToyTruck

93ToyTruck
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 27 October 2016 - 03:26 PM

Zoek results attached. It's still doing it. Thanks for your help.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 28 October 2016 - 09:43 AM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CloseProcesses:

Hosts:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is it now?

If the problem persists please run the Farbar tool normally ad posf fresh FRST and Addition.txt files for my review.

#8 93ToyTruck

93ToyTruck
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 28 October 2016 - 12:27 PM

Still doing it. Files attached.

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 28 October 2016 - 01:05 PM

This setting normally in the Hosts file is wrong even though I reset the hosts file.
127.0.0.1 localhost dnshost.me

Reset the following with this fix.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists please run this search.

Please run the Farbar Recovery Scan Tool. Enter hosts in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>

This infection may be set by a proxy. Remove anything referencing dnshost.me in all your browsers.

I Internet Explorer check this out.
http://windows.microsoft.com/en-ca/windows/change-internet-explorer-proxy-server-settings#1TC=windows-7

In Firefox.
http://www.linksys.com/us/support-article?articleNum=132304

In Chrome
https://support.google.com/chrome/answer/96815?hl=en
<<<>>>

Take the time to get the latest version of these 3rd party programs.
See my first post.
 

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 14.0.0.110 - Adobe Systems Incorporated)
Java SE Development Kit 8 Update 5 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180050}) (Version: 8.0.50 - Oracle Corporation)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)


Please let me know what problem persists with this computer.

#10 93ToyTruck

93ToyTruck
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 30 October 2016 - 10:32 PM

As I stated in my initial post, I added dnshost.me to the HOSTS file to prevent it from re-redirecting to the array of websites. It needs to be there until the problem is resolved.

 

The problem still persists. Search.txt attached.

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 31 October 2016 - 08:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html


===


How is it now?

#12 93ToyTruck

93ToyTruck
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 31 October 2016 - 12:51 PM

That is the same response as last time. The problem only exists on one computer in my house so it isn't the router.

 

The problem still persists.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 01 November 2016 - 08:49 AM



Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Sorry about requesting a router setup. If all fails you may have to do it.

#14 93ToyTruck

93ToyTruck
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 03 November 2016 - 03:22 PM

Still doing it. Files attached.

Attached Files


Edited by 93ToyTruck, 03 November 2016 - 03:23 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 04 November 2016 - 08:17 AM

Download AutoRuns program from this link.
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Run it in an Admin account. Do a search for dnshost.me and an other one for dnshost . If it is found uncheck the box next to any listing found. Reboot. If the computer runs normally then run AutoRuns again and highligh each entry then press the red X in the menu bar to remove it.

Restart the computer normally.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users