Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Default browser is hijacked to zodiac-game.info at user login


  • This topic is locked This topic is locked
9 replies to this topic

#1 IonescuIon1977

IonescuIon1977

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 20 March 2017 - 01:28 AM

Hello,

I am facing the following behaviour with my PC (Windows 10 Home Edition):

- every time I log-in to one specific account the default browser automatically opens displaying the zodiac-game.info page.

- this is no happening when I log-in to another account (created for testing after the previously described behaviour was noticed.

Any attempt to identify, locate and remove the malware with the available (to me) Anti-Malware programs (Malwarebytes, AdwCleaner, …) failed.

I’ve run BleepingComputers Farbar tool utility and got the FSRB.txt and Addition.txt files which I’ve attached.

Please have a look and advise on the actions to follow in order to remove the “bad guy” from my PC.

Thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:53 AM

Posted 20 March 2017 - 08:57 AM

Hello lonesculon1977, welcome to Bleeping Computer's Malware Removal forum!

 
My name is Machiavelli. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
======================================================
 
Please consider the following points during this process:

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not run any tools or take any steps other than those I provide for you. 
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   
  • If you come across an issue whilst following my instructions, please stop and inform me of the issue.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time.
  • I will notify you when I believe your computer is free of malware. Bear in mind, absence of symptoms does not necessarily correlate to absence of malware, so please wait until the "All Clean". 

======================================================
 
Due to your words I'd like to have a look at all logs. 

 

==== Step I ====

 

You have said that you ran Malwarebytes. I need this log. So - please open MBAM and try following these instructions:

  • Upon completion of the scan or after the reboot, click the Reports menu.
  • Click the Date and Time box to sort by date/time. The most recent date/time should be at the top of the list. 
  • Select the first Scan Report in the list and click View Report.
  • Click Export followed by Copy to Clipboard.
  • Paste the report in your next reply.

==== Step II ====

 

Please take a look at this folder: C:\AdwCleaner\ and post all logs you see there. Thank you.

 

 

==== Step III ====

 

Have you run other tools than MBAM and Adwarecleaner? If so, what tools and do you have to logs?

 

======================================================================================

2017-03-18 11:28 - 2017-03-18 12:16 - 00000000 ____D C:\Users\Razvi\Downloads\Rogue.One.2016.1080p.BluRay.x264-SPARKS[rarbg]2017-03-18 11:25 - 2017-03-18 11:25 - 00101769 _____ C:\Users\Razvi\Downloads\Rogue.One.2016.1080p.BluRay.x264-SPARKS-[rarbg.to].torrent
2017-03-17 22:05 - 2017-03-17 22:05 - 01489266 _____ C:\Users\Razvi\Downloads\stone-cold-gangplank-v1-by-pentaking.zip
2017-03-17 21:45 - 2017-03-17 21:45 - 38514538 _____ C:\Users\Razvi\Downloads\mega-charizard-x-galio.zip
2017-03-17 21:06 - 2017-03-17 21:06 - 04981584 _____ C:\Users\Razvi\Downloads\wukong-as-infernape-2-0-v2-by-mrbrokoli-zigizag.zip
2017-03-17 20:07 - 2017-03-17 20:07 - 28990000 _____ C:\Users\Razvi\Downloads\dj-zed-v1-by-ckyel-timewe.zip
2017-03-17 19:58 - 2017-03-17 19:58 - 00375354 _____ C:\Users\Razvi\Downloads\tom-tom-jerry-rengar-v1-by-pentaking.zip
2017-02-19 13:39 - 2016-12-09 19:22 - 00000000 ____D C:\Windows\AutoKMS

What's this?

 

STEP 1
XrDFflh.png CKScanner

  • Please download CKScanner and save the file to your Desktop.
  • Right-click CKScanner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Please run this programme only once.
  • A log (CKFiles.txt) will be created on your DesktopCopy the contents of the log and paste in your next reply.
     

STEP 2
DmqaAZx.png MGADiag (Windows Vista/7)

  • Please download MGADiag and save the file to your Desktop.
  • Right-click MGADiag.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Upon completion, click Continue.
  • Click Copy.
  • Paste the copied log in your next reply.
     

======================================================

STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • CKFiles.txt
  • MGADiag log

Edited by Machiavelli, 20 March 2017 - 08:57 AM.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 IonescuIon1977

IonescuIon1977
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 21 March 2017 - 03:35 AM

Hi Machiavelli,

Thank you for answering and your help.

I started collecting the required information and by the end of the day I will post them back to you.

Please feel free to use my first name it's shorter and easier,

Ion.

 



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:53 AM

Posted 21 March 2017 - 05:00 AM

Hello Ion. 

Thanks for keeping me updated.


~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 IonescuIon1977

IonescuIon1977
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 21 March 2017 - 10:43 PM

Hello Mr. M.

In reply to your requests here are my answers and ... questions:

 

Please consider the following points during this process:

  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   

 

Question: Is your recommendation for a “backup of important files” pertaining to personal data or also system data?

 

======================================================
 
Due to your words I'd like to have a look at all logs. 

 

==== Step I ====

 

You have said that you ran Malwarebytes. I need this log. So - please open MBAM and try following these instructions:

 

MB 21.03.2017.txt 21.03.2017 20:20

 

==== Step II ====

 

Please take a look at this folder: C:\AdwCleaner\ and post all logs you see there. Thank you.

 

AdwCleaner[S0].txt 12.03.2017 21:28

AdwCleaner[C0].txt 12.03.2017 21:36

AdwCleaner[S1].txt 21.03.2017 08:50

 

==== Step III ====

 

Have you run other tools than MBAM and Adwarecleaner? If so, what tools and do you have to logs?

 

I’ve also run some additional tools as follows below. Please note that some of them provided text-based logs, but others produced only image-based reports (tab- or list-based windows) that I’ve captured and are available to you if necessary. Also some logs are “cross-pointing” to some of the other tools I’ve used.

 

Zemana AntiMalware (Portable) – text-based and image captures

2017.03.11-18.48.00-i0-t92-d19.txt 21.03.2017 20:44

 

HitmanPro – text-based

HitmanPro_20170311_1917.log

 

Spy Hunter 4 – image captures

 

Emsisoft Anti-Malware – text-based

scan_170319-222254.txt 19.03.2017 22:23

 

Paretologic PC Health Advisor – image captures

 

======================================================================================

2017-03-18 11:28 - 2017-03-18 12:16 - 00000000 ____D C:\Users\Razvi\Downloads\Rogue.One.2016.1080p.BluRay.x264-SPARKS[rarbg]2017-03-18 11:25 - 2017-03-18 11:25 - 00101769 _____ C:\Users\Razvi\Downloads\Rogue.One.2016.1080p.BluRay.x264-SPARKS-[rarbg.to].torrent2017-03-17 22:05 - 2017-03-17 22:05 - 01489266 _____ C:\Users\Razvi\Downloads\stone-cold-gangplank-v1-by-pentaking.zip2017-03-17 21:45 - 2017-03-17 21:45 - 38514538 _____ C:\Users\Razvi\Downloads\mega-charizard-x-galio.zip2017-03-17 21:06 - 2017-03-17 21:06 - 04981584 _____ C:\Users\Razvi\Downloads\wukong-as-infernape-2-0-v2-by-mrbrokoli-zigizag.zip2017-03-17 20:07 - 2017-03-17 20:07 - 28990000 _____ C:\Users\Razvi\Downloads\dj-zed-v1-by-ckyel-timewe.zip2017-03-17 19:58 - 2017-03-17 19:58 - 00375354 _____ C:\Users\Razvi\Downloads\tom-tom-jerry-rengar-v1-by-pentaking.zip2017-02-19 13:39 - 2016-12-09 19:22 - 00000000 ____D C:\Windows\AutoKMS

What's this?

 

If you are asking about the downloads previous to the last one I will say they are my nephew’s downloads: movies and/or (skin) games.

The last one is strange to me too: I can provide info about the C:\Windows\AutoKMS folder and its content.

Additional info: Windows 10 was installed on 9.12.2016.

 

STEP 1
 CKScanner

 

  • CKFiles.txt

 

ckfiles.txt 21.03.2017 20:24

 

STEP 2
 MGADiag (Windows Vista/7)

 

  • MGADiag log

 

Please note that I have not been able to generate log files with MGADiag.exe. When run it with adnimistrator privileges it issued the message:

 

“Failed to create files, hr=0x80070002. Please contact support”

 

Instead I’ve captured images for all the tabs in the tool window which are available.    

Attachments:

MB 21.03.2017.txt

AdwCleaner[S0].txt

AdwCleaner[C0].txt

AdwCleaner[S1].txt

2017.03.11-18.48.00-i0-t92-d19.txt

HitmanPro_20170311_1917.log

scan_170319-222254.txt

ckfiles.txt

Attached Files



#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:53 AM

Posted 22 March 2017 - 05:11 AM

Hello Ion. Thanks for keeping me still updated. 

 

Well - it is wise to save personal data at the first place, but if you have some important system data I'd also save it. :-)

 

If you are asking about the downloads previous to the last one I will say they are my nephew’s downloads: movies and/or (skin) games.

The last one is strange to me too: I can provide info about the C:\Windows\AutoKMS folder and its content.

Additional info: Windows 10 was installed on 9.12.2016.

Before continuing with the help, I want to make sure that you understand my position on that: Personally, I do not support any kind of illegal software/films/etc. Therefor please uninstall all illegal software you have on your system including deleting all your illegal films, music, etc..

 

 

One or more of the identified issues may be a result of downloading cracked/pirated/illegal software. Participating in the use of such software is a security risk. Were you aware your machine has cracked software installed? We do not approve of nor support illegal software.

Malware authors promote and release cracked software to spread malware. I strongly recommend you refrain from participating in this activity; your computer will be re-exposed to malware otherwise. Simply visiting a cracked software site often result in exposure to malware. In some instances malware may cause so much damage to your system that removal is not possible and the only option is to reformat your hard drive and reinstall your Operating System. Please refer to the following articles for more information.

I am prepared to continue providing assistance as long as you agree to remove all cracked software immediately.

 

==========================================================

 

  • Press the Windows Key pdKOQKY.png + R on your keyboard at the same time. Type Notepad and click OK.
  • Copy the lines below one at a time and paste (right-click + paste) into the Command Prompt. Press Enter on your keyboard after each line.

slmgr -dlv

 

  • A window will open. Please take a screenshot, edit personal data, and post it here.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 IonescuIon1977

IonescuIon1977
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 24 March 2017 - 07:36 AM

Hello Mr. M.,

I conveyed your request to my niece and nephew as they are the “de-facto” (current) users of the infected PC. I’m only … an English speaking intermediate person conveying messages in between. I hope they understood your recommendations and they will act accordingly.

 

The results of running the slmgr –dlv command are:

 

Windows Script Host

Software licensing service version: 10.0.14393.351

Name: Windows®, Core edition

Description: Windows® Operationg System, OEM_COA_NSLP channel

Activation ID: 30d469c6-a78f-4476-b5c8-af78d5b6a5fb

Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f

Extended PID: 03612-03260-079-169458-02-2057-14393.0000-3442016

Product Key Channel: OEM:NONSLP

Installation ID:

7205 7702 3371 8014 1738 1596 7944 8016 1304 0914 2254 4993 1410 6312 3303 682

Use License URL:

https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail

Validation URL: https://validation-v2.sls.microsoft.com/SLWGA/slwga.asmx

Partial Product Key: T6PHG

License Status: Licensed

Remaining Windows rearm count: 1001

Remaining SKU rearm count: 1001

Trusted time: 23/03/2017 22:18:40



#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:53 AM

Posted 24 March 2017 - 10:29 AM

Please give me a new set of FRST logs. :)

 

Thank you, Ion.


~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 IonescuIon1977

IonescuIon1977
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 28 March 2017 - 02:50 AM

Hello Mr. M.,

Sorry for my belated answer.

It seems the infection on our PC is so extended that my "younger

generation" decided to apply a more drastic way of action and to

reinstall the OS (Win 10 Home). They think that trying to remove

the “bugs” piece by piece would be painstakingly process and they

want to spare your, as well as their time. And mine I dare add.

Thank you for your advice and help.

Ion

P.S. Should I close the topic or it will be automatically closed?



#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:53 AM

Posted 28 March 2017 - 12:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users