Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Chrome redirects involving engine.spotcenered.info


  • Please log in to reply
7 replies to this topic

#1 FireFlyer

FireFlyer

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 22 October 2016 - 12:22 AM

Sometime in late September/early October, my Google Chrome was getting redirected to a fake Comcast survey site at a rate of about once a day and I think it even changed the layout of YouTube. I was able to reset my settings, but I'm not sure if the problem is fixed, seeing as I've limited my use of Chrome during this time. I've used MalwareBytes, HitmanPro, rKill, tdsskiller, AdWCleaner, ESET, Reason Core and while they did find and remove some bad stuff, I'm not sure if the problem is fixed.

 

Here is the redirect that was involved, along with FRST and addition logs:

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 22 October 2016 - 10:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

URLSearchHook: HKU\S-1-5-21-852323216-1299793428-4217004854-1000 - (No Name) - {cce665dd-f6dd-4808-968e-eaec971f70ef} - No File
BHO-x32: No Name -> {0931BD3F-547E-45C1-B133-D0E995645DBA} -> No File
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Keyword.URL: Mozilla\Firefox\Profiles\4ijotq83.default -> hxxp://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_9&idate=__installtime__&hsimp=yhs-lavasoft&ent=bs&q=
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jason Bobick\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\Jason Bobick\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-22]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2016-06-15]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
S3 cpuz132; \??\C:\Users\JASONB~1\AppData\Local\Temp\cpuz132\cpuz132_x64.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
Task: {10F06F55-C230-4421-893F-9F308F4CBF59} - System32\Tasks\avastBCLRestartS-1-5-21-852323216-1299793428-4217004854-1000 => Firefox.exe
Task: {AF24F71B-9A20-490F-99C2-DC03BF6D090F} - \RegHunterStartup -> No File <==== ATTENTION
FirewallRules: [{E5D235E1-738A-4A18-9188-D3AF54AA5351}] => (Allow) C:\Program Files (x86)\adawaretb\dtUser.exe
FirewallRules: [{6254D92D-318F-4AAD-AED5-60CF65F015EF}] => (Allow) C:\Program Files (x86)\adawaretb\dtUser.exe
C:\Users\Jason Bobick\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Jason Bobick\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

Your version of Adobe AIR is out-or-date and vulnerable.

https://get.adobe.com/air/

Go to Start > Control Panel > Programs and Features and uninstall the old version(s) if present.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.7.0.2090 - Adobe Systems Incorporated)
===

Your version(s) of Adobe Flash are out-or-date and vulnerable.
Go to Start > Control Panel > Programs and Features and uninstall the following programs:
Adobe Flash Player 10 ActiveX

Go to this page with Firefox to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
J2SE Runtime Environment 5.0 Update 16 (HKLM\...\{6448F0A8-6813-11D6-A77B-00B0D0150160}) (Version: 1.5.0.160 - Sun Microsystems, Inc.)
Java 8 Update 60 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418060F0}) (Version: 8.0.600.27 - Oracle Corporation)
Java SE Development Kit 8 Update 60 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180600}) (Version: 8.0.600.27 - Oracle Corporation)
Java™ 6 Update 23 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416023FF}) (Version: 6.0.230 - Oracle)

===

Please post the Fixlog.txt and let me know what problem persists.

#3 FireFlyer

FireFlyer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 22 October 2016 - 01:30 PM

Sorry it took so long. I was doing the updates you instructed.

 

Here is the fixlog, along with the parts of the Cache that were deleted.

 

When cleaning my Google cache, should that also include media licenses? If so, how would that affect things like itunes or Windows Media player? Everything else I cleaned, but I not sure about the last part. If it's necessary, I'll do it.

 

EDIT: Went ahead and cleared media licenses.

Attached Files


Edited by FireFlyer, 22 October 2016 - 03:13 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 23 October 2016 - 08:35 AM

Any remaining issues?

#5 FireFlyer

FireFlyer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 23 October 2016 - 10:00 AM

I've limited where I go on Chrome, so I'm not sure if the virus is gone. Other than that, that was the only problem I've been having and the parts where I do go haven't had the virus pop-up. If it happens again, I'll let you know.

 

EDIT: Could it possibly be related to this:

 

http://www.bleepingcomputer.com/forums/t/629199/adware-in-chrome-and-firefox-that-cant-be-detected/page-2


Edited by FireFlyer, 23 October 2016 - 10:06 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 24 October 2016 - 08:39 AM

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

If you Sync your data.
How To Delete Your Google Chrome Browser Sync Data
http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/
<<<>>>

Keep me posted.

Edited by nasdaq, 24 October 2016 - 08:40 AM.


#7 FireFlyer

FireFlyer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 24 October 2016 - 05:45 PM

Uninstalled and reinstalled Chrome. Also, there are the new FRST and Addition logs, just in case I either did it improperly or if something else was missed.

 

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 25 October 2016 - 09:44 AM

Looking good.
 
If all is well.
 
To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users