Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS & google keeps redirecting


  • This topic is locked This topic is locked
9 replies to this topic

#1 BlisteredFetus

BlisteredFetus

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 AM

Posted 09 April 2017 - 02:08 PM

Below I have attached the reports from FRST and Rkill also if any more info is required please let me know

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:34 PM

Posted 09 April 2017 - 02:55 PM

Hello BlisteredFetus and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

P2P - I see you have P2P software, (FrostWire), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7/8/10, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    createsrpoint;
    autoclean;
    emptyclsid;
    FFdefaults;
    iedefaults;
    CHRdefaults;
    emptyalltemp;
    emptyfolderscheck;delete
    ipconfig /flushdns;b
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Logs to include with next post:

AdwCleaner log
JRT.txt
zoek-results.log


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 BlisteredFetus

BlisteredFetus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 AM

Posted 09 April 2017 - 03:27 PM

Here are the reports as requested. Also all P2P services have been uninstalled.

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:34 PM

Posted 09 April 2017 - 04:25 PM

Those cleaned up some of your problems.

Please run another scan and send a new log.

Run Zemana AntiMalware

Download Zemana AntiMalware:

  • open the program and without changing any options, press Scan
  • after the scan is finished, if threats are detected press Next to remove them

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

  • open Zemana AntiMalware again and locate the latest report
  • please paste the contents into your reply.

===================================================

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit ‘Scan’.

Logs to include with next post:

Zemana AntiMalware report
New Frst.txt
New Addition.txt


Can you tell me if there is any improvement and what problems remain.

BTW, I’m in the UK and I probably won’t reply tonight but will get back as soon as I can.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 BlisteredFetus

BlisteredFetus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 AM

Posted 09 April 2017 - 05:27 PM

As of the moment the issue seems to be resolved. I am no longer receiving any redirects, false home page's, or any unwanted search bars.  

 

*Update: Problem has reoccurred, A lot less persistent than before as it had been nearly every other webpage. Since the last step these symptoms have occurred only a couple of times within the last five hours. Double search bar on chrome home page, and Redirect to a false home page.

Attached Files


Edited by BlisteredFetus, 09 April 2017 - 11:34 PM.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:34 PM

Posted 10 April 2017 - 02:52 AM

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
HKU\S-1-5-18\...\Run: [script_fcbd] => "D:\Ubisoft Game Launcher\games\Far Cry 3 Blood Dragon\fcbd.bat"
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
SearchScopes: HKU\S-1-5-21-3569609947-3466015449-2966985755-1001 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
2017-04-07 17:04 - 2017-04-07 17:04 - 00058332 _____ C:\Users\Blist\Downloads\Stellaris.Utopia-CODEX-[rarbg.to].torrent
2017-04-06 22:12 - 2017-04-06 22:12 - 00016251 _____ C:\Users\Blist\Downloads\Cities.Skylines.Deluxe.Edition.v1.5.2.F3.Incl.Stadiums.DLC-ALI213.torrent
2017-03-10 20:25 - 2017-03-10 20:30 - 00000000 ____D C:\Users\Blist\Documents\Vuze Downloads
2017-03-10 20:25 - 2017-03-10 20:25 - 00000000 ____D C:\Users\Blist\.swt
2017-03-10 20:24 - 2017-04-07 17:14 - 00000000 ____D C:\Users\Blist\AppData\Roaming\Azureus
2017-03-10 20:24 - 2017-03-10 20:24 - 00091808 _____ (Azureus Software, Inc.) C:\Users\Blist\Downloads\VuzeBittorrentClientInstaller.exe
FirewallRules: [{8F0EFD7A-F9D3-42B5-8238-BF0B905BAC41}] => (Allow) C:\Program Files (x86)\FrostWire 6\FrostWire.exe
FirewallRules: [{8B2A8B76-1C12-4FB6-B46C-D0211DFE17F6}] => (Allow) C:\Program Files (x86)\FrostWire 6\FrostWire.exe
FirewallRules: [{FDDDCE5A-9B73-45F0-9130-096F5D0DD970}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.561\SZBrowser.exe
FirewallRules: [{22C32C29-7014-4F7C-B11E-7150234F56B2}] => (Allow) F:\FrostWire 6\FrostWire.exe
FirewallRules: [{403EE18D-EF44-48D1-8DBD-A6AEEEF22979}] => (Allow) F:\FrostWire 6\FrostWire.exe
FirewallRules: [{DA01F841-2111-4CC6-ACD3-F54418FCE6A0}] => (Allow) F:\Vuze\Azureus.exe
FirewallRules: [{5E0ABD78-8058-4AF5-B2FE-B8AB2A68EAAF}] => (Allow) F:\Vuze\Azureus.exe
D:\Ubisoft Game Launcher\games\Far Cry 3 Blood Dragon\fcbd.bat
C:\Program Files (x86)\FrostWire 6\FrostWire.exe
C:\Program Files\AVAST Software\SZBrowser\3.55.2393.561\SZBrowser.exe
F:\FrostWire 6\FrostWire.exe
F:\Vuze\Azureus.exe
Hosts:
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

Let me know how things are and if there are still no outstanding problems I’ll send instructions to tidy up.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 BlisteredFetus

BlisteredFetus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 AM

Posted 10 April 2017 - 01:05 PM

I just want to verify before I move forward as this portion has slightly confuzzled me. So I have moved FRST to my desktop as stated above, and I have also copied the script from above and saved the document to my desk top. If I understand correctly then I would start FRST and just run fix? or do I need to scan again then fix? and also you had mentioned FRST and fixlist need to be saved in the same area to work I assume both being on the desktop is what was meant by that? 



#8 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:34 PM

Posted 10 April 2017 - 04:23 PM

FRST and fixlist need to be saved in the same area to work I assume both being on the desktop is what was meant by that?

Yes.

 

You just need to run FRST that is on your desktop and when it opens, click on 'Fix'.


Edited by satchfan, 12 April 2017 - 04:56 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:34 PM

Posted 13 April 2017 - 01:25 AM

Hi BlisteredFetus

It has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you still need help. If I do not hear from you within 24 hours I'll assume that all is now OK and close this topic.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:34 PM

Posted 14 April 2017 - 03:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users