Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Links keep redirecting to some malicious sites


  • This topic is locked This topic is locked
4 replies to this topic

#1 d_bashido

d_bashido

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 20 January 2017 - 02:04 PM

Hi Team, 

 

From last few weeks, my browsers become very annoying as i want to open any site but it redirects to some add sometimes porn, sometimes something else... :(

 

 

I have tried many things and few days ago, i found a form and user was facing same problem and i follow that procedure user Malwarebytes, Adwarecleaner and JRT (logs file available) but still facing the problem. 

I will be grateful to you if you ppl help me to remove this.

 

PS: I want to contribute your community by investing my time to your community as i am new in IT security world and want to learn new things.  

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:26 PM

Posted 21 January 2017 - 11:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(© 2015 Microsoft Corporation) C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Microsoft Corporation) C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe
HKLM-x32\...\Run: [CSTDCMainController2014] => [X]
HKLM-x32\...\Run: [CSTDCSolverServer2014] => [X]
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\...\Run: [BingSvc] => C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\...\Run: [Google Update] => C:\Users\Malik\AppData\Local\Google\Update\1.3.32.7\GoogleUpdateCore.exe [601752 2016-12-17] (Google Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Chrome Media Router) - C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
CHR HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
S2 AppfocserT; C:\ProgramData\\AppfocserT\\AppfocserT.exe -f "C:\ProgramData\\AppfocserT\\AppfocserT.dat" -l -a
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
CustomCLSID: HKU\S-1-5-21-3097050614-1544340420-1818939659-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Malik\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe
C:\ProgramData\\AppfocserT

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:26 PM

Posted 21 January 2017 - 11:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(© 2015 Microsoft Corporation) C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Microsoft Corporation) C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe
HKLM-x32\...\Run: [CSTDCMainController2014] => [X]
HKLM-x32\...\Run: [CSTDCSolverServer2014] => [X]
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\...\Run: [BingSvc] => C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\...\Run: [Google Update] => C:\Users\Malik\AppData\Local\Google\Update\1.3.32.7\GoogleUpdateCore.exe [601752 2016-12-17] (Google Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Chrome Media Router) - C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
CHR HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
S2 AppfocserT; C:\ProgramData\\AppfocserT\\AppfocserT.exe -f "C:\ProgramData\\AppfocserT\\AppfocserT.dat" -l -a
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
CustomCLSID: HKU\S-1-5-21-3097050614-1544340420-1818939659-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Malik\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe
C:\ProgramData\\AppfocserT

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#4 d_bashido

d_bashido
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 22 January 2017 - 03:57 PM

Hey Nasdaq, 

 

Thank you for your response. Apparently, it seems good and i am now not facing the issue of redirecting. But,somehow, i have doubt some chrome processes running behind and they are consuming Memory too much. Plus, can you explain which malware causing the problem of redirecting. I have noticed that you have removed BINGSVC. I am searching about it but i did not get any proper information.

 
 

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-01-2017
Ran by Malik (21-01-2017 22:35:20) Run:1
Running from C:\Users\Malik\Downloads
Loaded Profiles: Malik (Available Profiles: Malik)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(© 2015 Microsoft Corporation) C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Microsoft Corporation) C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe
HKLM-x32\...\Run: [CSTDCMainController2014] => [X]
HKLM-x32\...\Run: [CSTDCSolverServer2014] => [X]
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\...\Run: [BingSvc] => C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\...\Run: [Google Update] => C:\Users\Malik\AppData\Local\Google\Update\1.3.32.7\GoogleUpdateCore.exe [601752 2016-12-17] (Google Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Chrome Media Router) - C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
CHR HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
S2 AppfocserT; C:\ProgramData\\AppfocserT\\AppfocserT.exe -f "C:\ProgramData\\AppfocserT\\AppfocserT.dat" -l -a
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
CustomCLSID: HKU\S-1-5-21-3097050614-1544340420-1818939659-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Malik\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe
C:\ProgramData\\AppfocserT
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
[2516] C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe => process closed successfully.
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\CSTDCMainController2014 => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\CSTDCSolverServer2014 => value removed successfully
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\Software\Microsoft\Windows\CurrentVersion\Run\\BingSvc => value removed successfully
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update => value removed successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Malik\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000\SOFTWARE\Google\Chrome\Extensions\fkkcgfbgohboipdhliafmacjnhjbhmim => key removed successfully
HKLM\System\CurrentControlSet\Services\AppfocserT => key removed successfully
AppfocserT => service removed successfully
HKLM\System\CurrentControlSet\Services\vmci => key removed successfully
vmci => service removed successfully
HKLM\System\CurrentControlSet\Services\VMnetAdapter => key removed successfully
VMnetAdapter => service removed successfully
HKU\S-1-5-21-3097050614-1544340420-1818939659-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4} => key removed successfully
C:\Users\Malik\AppData\Local\Microsoft\BingSvc\BingSvc.exe => moved successfully
"C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-3afc6ab7.exe" => not found.
"C:\ProgramData\\AppfocserT" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 112554740 B
Java, Flash, Steam htmlcache => 19131 B
Windows/system/drivers => 1091265699 B
Edge => 0 B
Chrome => 530218884 B
Firefox => 348517610 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66356 B
systemprofile32 => 66088 B
LocalService => 66228 B
NetworkService => 292898 B
Malik => 5207704461 B
TEMP => 0 B
 
RecycleBin => 2542767467 B
EmptyTemp: => 9.2 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 22:41:44 ====


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:26 PM

Posted 23 January 2017 - 08:16 AM

But,somehow, i have doubt some chrome processes running behind and they are consuming Memory too much.

Crome will create a new process when required. It will also add one for each Extension. Disable does that you do not use often.
==

I have noticed that you have removed BINGSVC. I am searching about it but i did not get any proper information.


Resources:
https://www.reasoncoresecurity.com/bingsvc.exe-ff2f2c62b9f0a01bc5b3073dc3de6f7bbc623569.aspx
===

What Caused the Redirect is very hard to identify. I removed what I would if it was my computer.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users