Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unstopaccess.com browser hijack


  • This topic is locked This topic is locked
7 replies to this topic

#1 mwaurelius

mwaurelius

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 02 May 2017 - 11:55 AM

Hello,

 

I use both Chrome and Internet Explorer at different times for different reasons. Recently I've had trouble with a search engine hijack which affected both browsers. After a lot of searching and self-help attempts, I think I finally have the (current) root cause, but I'd like some advice before proceeding.

 

I removed 7-zip, Google toolbar for IE, Java, and Flash Player; all of these were either installed or updated within the last couple days. That got me some improvement with no longer seeing a bitmotion tab hijack - oh and let's not forget the "Warning! Microsoft Update required to remove malicious software!" verbal threat coming from my speakers which started in IE and migrated to Chrome. That seems to be gone now.

 

I keep getting a "secure search" bar at the top of the page any time I use Google in either browser which captures the cursor and redirects to Bing. There is an X which will close it, but then the links on the Google results page don't work until the page is refreshed. That is fixed now - sort of - as detailed below.

 

I found advice on changing the proxy settings and located where my LAN setting were set to use an automatic configuration script and unchecked that box and blanked the text box with "http://unstopaccess.com/wpad.dat? . . . "

 

That's where my progress stopped. The box under LAN setting is unchecked on both browsers, but erasing the text in the automatic configuration script doesn't take. It's the same on both browsers. Further digging got me into regedit and NOW I want advice before proceeding further:

 

I found the unstopaccess entry under HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/services/NlaSvc/Parameters/Internet/ManualProxies/Default

 

F3 only got me the one instance and I've exited regedit without making changes. The hijack is dormant for now. I assume it's safe to delete the entry, but I know how quickly I could screw things up, thus: HELP!

 

My one saving grace in this is that I know what I know and I know what I don't know, so I know when to seek greater wisdom.

 

Ah, multiple passes of Avast don't find viruses, MalwareBytes no longer finds issues, TDSSKiller didn't find anything, and the "easy fix" option from MicroSoft said I had the wrong version of IE for it to work.

 

Couple hours later: I gotta say, I THOUGHT I had most things under control. I still have some kind of new tab hijack on Chrome and I closed it before noting the address, also the secure search bar came back once. They won't repeat after I closed them, so I guess I gotta completely close the program before it will show me the behavior again. I'm in the middle of something so I will update again when I have further details.

 

Second update: The new tab hijacker in Chrome is an address of https://secure-surf.net/ and I saw it change the standard blank new tab to a faux new tab which is actually a webpage. Chrome is my primary browser.


Edited by mwaurelius, 02 May 2017 - 02:03 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 03 May 2017 - 07:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 
I need more information.
 
 
Download the version of this tool for your operating system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png
 
Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===
 
 
Please postboth logs.
 
Wait for further instructions.
 


#3 mwaurelius

mwaurelius
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 May 2017 - 09:51 AM

Thank you. Here are the text files. 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 03 May 2017 - 10:07 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Mark\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Mark\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Mark\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Mark\AppData\Local\MEGAsync\ShellExtX32.dll -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Mark\AppData\Local\MEGAsync\ShellExtX32.dll -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Mark\AppData\Local\MEGAsync\ShellExtX32.dll -> No File
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-1351187723-3052053069-661632602-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Extension: (Avast SafePrice) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-05-02]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
CustomCLSID: HKU\S-1-5-21-1351187723-3052053069-661632602-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Mark\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1351187723-3052053069-661632602-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Mark\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1351187723-3052053069-661632602-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Mark\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1351187723-3052053069-661632602-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Mark\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File

RemoveProxy:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#5 mwaurelius

mwaurelius
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 May 2017 - 02:06 PM

At first blush it looks like that fixed the problems, but the Farbar tool froze on C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\History

 

My programming days were back in the era of 8-bit Basic so I can't read the coding, but I noticed the FixLog had several entries in plain text saying a reboot of the computer is required. I'm a bit averse to just shutting down the tool and rebooting when I don't know if it's done and safe to do so.

 

Is the fix complete? Is it safe to reboot and force the program to close?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 04 May 2017 - 07:23 AM

Yes a reboot will reset the Registry.

#7 mwaurelius

mwaurelius
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 09 May 2017 - 04:02 AM

Two last things:

 

1) What did you do to clean the crud from Chrome? I've done various resets before, deleted browsing history, uninstall and reinstall, etc, but I've never seen a performance improvement and whatever you did made Chrome load pages faster.

2) Where can I go to make a contribution to the site?



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 09 May 2017 - 08:31 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

My services are free. Thank you for your gesture.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users