Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox and Google Chrome keep redirecting to many different websites.


  • Please log in to reply
No replies to this topic

#1 kimiisuu

kimiisuu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:24 PM

Posted 09 January 2017 - 08:06 PM

Most of the websites are blocked by Malwarebytes. Also I am currently using Firefox as I uninstalled Chrome a few days ago.
 
I installed an infected program and uninstalled it after finding out. I do not remember what I downloaded. Scanned computer system with Malwarebytes, HitmanPro (Trial Version) and Adwcleaner. They all seem to detect viruses and remove them but after the reboot the ads are still there. At least one ad pops up every 30 seconds.
Seems like they pop up whenever we're connected to wifi. Very annoying.
Thanks.
Crystal
 
I've attached the logs below.

Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 10/01/2017 Scan Time: 2:19 PM Logfile: log.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2017.01.10.01 Rootkit Database: v2016.11.20.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: user Scan Type: Threat Scan Result: Completed Objects Scanned: 340888 Time Elapsed: 7 min, 13 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Trojan.Agent.Generic, C:\Users\user\AppData\Local\Temp\{3505fe0fd9db4e7f92967fe0d34bb19e}\+IXO4hado8\publisher.exe, 3092, , [c871f981a701360013ee46723ec25aa6] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Trojan.Agent.Generic, HKU\S-1-5-21-2285484613-214436783-4134696340-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Publisher, C:\Users\user\AppData\Local\Temp\{3505fe0fd9db4e7f92967fe0d34bb19e}\+IXO4hado8\publisher.exe, , [c871f981a701360013ee46723ec25aa6] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 Trojan.Agent.Generic, C:\Users\user\AppData\Local\Temp\{3505fe0fd9db4e7f92967fe0d34bb19e}\+IXO4hado8\publisher.exe, , [c871f981a701360013ee46723ec25aa6], Physical Sectors: 0 (No malicious items detected) (end)
HitmanPro 3.7.15.281 www.hitmanpro.com    Computer name . . . . : USER-PC    Windows . . . . . . . : 6.1.1.7601.X64/8    User name . . . . . . : user-PC\user    UAC . . . . . . . . . : Enabled    License . . . . . . . : Trial (24 days left)    Scan date . . . . . . : 2017-01-10 14:46:06    Scan mode . . . . . . : Normal    Scan duration . . . . : 3m 31s    Disk access mode  . . : Direct disk access (SRB)    Cloud . . . . . . . . : Internet    Reboot  . . . . . . . : No    Threats . . . . . . . : 0    Traces  . . . . . . . : 26    Objects scanned . . . : 1,616,306    Files scanned . . . . : 76,094    Remnants scanned  . . : 413,512 files / 1,126,700 keys Cookies _____________________________________________________________________    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\56329O1D.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\6NZV8HOI.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\89UZT8WK.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\DY87J8G0.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\JK2K264E.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\0GCGIK8L.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\30K7IZEV.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\33K2LNDF.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\431OQVUX.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\57F8PVO1.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\7QH0EVZG.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\ASAHW5UR.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\D5KF8B5W.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\H2A7IOX4.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\IKBMIENG.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\IT1YIW8Q.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\LYQZQ0D6.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\POBV2FCX.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\S2H76HGJ.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\SHFECCFW.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\UXVNEEPH.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\V1HRIDTT.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\XQUWMCID.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\YRN8Y8SR.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QR1H7PGG.txt    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\XBCHYW04.txt
# AdwCleaner v6.042 - Logfile created 10/01/2017 at 14:56:13 # Updated on 06/01/2017 by Malwarebytes # Database : 2017-01-09.3 [Server] # Operating System : Windows 7 Professional Service Pack 1 (X64) # Username : user - USER-PC # Running from : C:\Users\user\Downloads\adwcleaner_6.042.exe # Mode: Scan # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** Folder Found:  C:\Program Files (x86)\ScreenShared ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** Key Found:  [x64] HKLM\SOFTWARE\ScreenShared ***** [ Web browsers ] ***** No malicious Firefox based browser items found. No malicious Chromium based browser items found. ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [8397 Bytes] - [04/01/2017 20:24:09] C:\AdwCleaner\AdwCleaner[C2].txt - [1573 Bytes] - [04/01/2017 20:38:08] C:\AdwCleaner\AdwCleaner[C3].txt - [1487 Bytes] - [04/01/2017 20:43:32] C:\AdwCleaner\AdwCleaner[C4].txt - [1576 Bytes] - [06/01/2017 21:07:02] C:\AdwCleaner\AdwCleaner[S0].txt - [8124 Bytes] - [04/01/2017 20:22:49] C:\AdwCleaner\AdwCleaner[S1].txt - [1642 Bytes] - [04/01/2017 20:30:53] C:\AdwCleaner\AdwCleaner[S2].txt - [1574 Bytes] - [04/01/2017 20:42:08] C:\AdwCleaner\AdwCleaner[S3].txt - [1718 Bytes] - [04/01/2017 20:47:06] C:\AdwCleaner\AdwCleaner[S4].txt - [1670 Bytes] - [04/01/2017 20:56:51] C:\AdwCleaner\AdwCleaner[S5].txt - [1744 Bytes] - [06/01/2017 21:06:51] C:\AdwCleaner\AdwCleaner[S6].txt - [1889 Bytes] - [06/01/2017 23:59:43] C:\AdwCleaner\AdwCleaner[S7].txt - [1962 Bytes] - [07/01/2017 00:20:28] C:\AdwCleaner\AdwCleaner[S8].txt - [1913 Bytes] - [10/01/2017 14:56:13] ########## EOF - C:\AdwCleaner\AdwCleaner[S8].txt - [1986 Bytes] ##########

Looking at the AdwCleaner, there seems to be a program file called "ScreenShared" which I saw was running in the background in the list of programs in Task Manager. Ending the process of that file seemed to remove the ads. I checked the file in "Program files (x86)" and there was nothing in the folder. I think the files are somehow hidden to avoid detection.
However I'm guessing it somehow keeps coming back in a few days every time AdwCleaner removes it. I was thinking it may be a keylogger of some sort. Adwcleaner seemed to detect a key in the registry also named "Screenshared".

Edited by hamluis, 10 January 2017 - 11:19 AM.
No logs, moved from MRL to AII, merged posts - Hamluis.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users