Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

reimageplus.com


  • This topic is locked This topic is locked
36 replies to this topic

#1 flipper88

flipper88

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 04 May 2017 - 03:43 PM

I'm running windows 10 and my browsers (chrome or explorer) are being hijacked and I am redirected to reimageplus.com and other popup page randomly appear. Please help



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 04 May 2017 - 03:59 PM

Hello flipper88 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please complete these tasks in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Malwarebytes Anti-Malware

Please download and run the installer for Malwarebytes 3.0.

  • follow the prompts to install the program, (Malwarebytes 3.0 will automatically upgrade Malwarebytes Anti-Malware 2.x to Malwarebytes 3.0)
  • at the end, be sure a checkmark is placed next to the following
    • Launch Malwarebytes Anti-Malware
    • a 14 day trial of the Premium features is pre-selected: deselect this if you don’t want it, (it won’t diminish the scanning and removal capabilities of the program).
  • click Finish.
  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the ‘History’ tab, the ‘Application Logs’
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

Logs to include with the next post:

AdwCleaner log
JRT.txt
Mbam.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 flipper88

flipper88
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 04 May 2017 - 10:39 PM

Hi thanks alot for the help. Ran all these and got hits. All logs attached. 
 
It's also worth noting that my computer is running unusually slow still and when I open chrome on the task bar it will open up a separate chrome icon highlighted while the one I pressed stays unhighlighted. I have attached a photo of what I mean. Does this mean that the browser may be infected?
 
Also after MBAM quarantined and restarted my machine, a few mbam notifications popped up saying that it blocked some actions. I then went in to look at the quarantined items to delete them, and when I select all the items and press delete, it just slows for a second and wont delete them for some reason. Also when I try copy paste the mbam log, it freezes the browser so I copy pasted into a text file and attached.
 
Something is still seemingly weird.

Please let me know how to proceed.
 
Thanks again.
 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 05 May 2017 - 02:49 AM

This is a known infection that we can deal with but it requires some patience.

Run Zoek

Please temporarily disable your AV program.

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7, 8 and 10, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyalltemp;
    emptyclsid;
    FFdefaults;
    iedefaults;
    chrdefaults;
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/7/8/10, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on ‘Report’ and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Logs to include with next post:

RKreport.txt
zoek-results.log


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 flipper88

flipper88
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 05 May 2017 - 06:46 PM

Hi Satchfan . Thanks again for all your help. I have run both Zoek and Roguekiller and per your advice I have not deleted any hits from the RK scan as yet. Awaiting your advice.

MichaelAttached File  zoek-results.txt   36.04KB   5 downloadsAttached File  rk_88A0.tmp.txt   24.93KB   6 downloads



#6 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 06 May 2017 - 04:07 AM

Thanks for the logs. We’ll deal with what was found and then I’ll need a further look with another tool.

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished press the Delete button and post the log it produces.

Please then run it again and send the new log.

================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

================================================

Logs to include with next post:

RogueKiller fix log
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 flipper88

flipper88
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 07 May 2017 - 12:17 AM

Hi

Ive done all this. 

Ran RK first time and deleted 3 threats and kept 4 PUMS because they were not ticked.

Ran RK 2nd time and deleted the 4 PUMS

Ran Farbar

 

All logs attached.

 

I know you will let me know if all is well now. Thank you.

 

Will I be safe in future just with Windows Defender running real time? Or what defence program of the myriad I have downloaded should I retain and keep active? I understood there may be conflicts with too many defence apps running?

 

Thanks again

Michael

Attached Files



#8 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 07 May 2017 - 09:18 AM

Chrome has been infected and it’s best to re-install it.

First we’ll deal with some other things that need tidied up.


Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
SearchScopes: HKU\S-1-5-21-1441478926-2672369693-885476621-1005 -> DefaultScope {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1441478926-2672369693-885476621-1005 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {7827CF56-F989-4D92-BACC-6538B234FD83} - System32\Tasks\{12F689F1-F1AB-0668-F111-EB47A576F75E} => Regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\6765bf13\2b73f500.dll" <==== ATTENTION
Task: {ED9A6332-31FD-42DF-BEA1-6AB46D752D39} - \avast! SL Update -> No File <==== ATTENTION
C:\Users\Michael Pattinson\AppData\Roaming\sp_data.sys
C:\ProgramData\DP45977C.lfl
C:\PROGRA~3\6765bf13
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

====================================================

Download TFC to your desktop

  • close any open windows
  • double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run
  • click the Start button to begin the process
  • allow TFC to run uninterrupted
  • the program should not take long to finish it's job
  • once its finished it should automatically reboot your machine
  • if it doesn't, manually reboot to ensure a complete clean.

====================================================

Uninstall/Reinstall Google Chrome

First save all your bookmarks/favourites.

  • open Chrome, click on the 3 bars in the top right hand corner, select Bookmarks and then Bookmarks Manager
  • click on Organise and then select Export Bookmarks to HTML file, then choose Desktop to save it
  • again, click on the three bars in the top right hand corner and select Settings
  • in the list of Settings under “Sign in” click on Disconnect your Google Account – (if “Disconnect your Google Account” is not there, you will have to sign in using your Chrome username and password first to make it visible)
  • in the text of the next window click on “Google Dashboard” then, at the “Chrome sync” screen, click on Stop and Clear at the bottom
  • a box will open and ask for confirmation, click on OK (wait for this to complete before doing the next step)
  • when confirmation appears close that page and then click on Disconnect account
  • shut Google Chrome, click on Start > Control Panel > Programs and Features (or Add/Remove Programs in XP) and uninstall Google Chrome. Select Everything for removal if asked.

Reboot the system and then reinstall Google Chrome from here

Repeat the process to reinstate your bookmarks by going to Bookmarks > Bookmarks Manager > Organise and select Import Bookmarks.

================================================

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit ‘Scan’.

Logs to include with next post:

Fixlog.txt
New Frst.txt
New Addition.txt


Can you tell me what remaining problems there are.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 flipper88

flipper88
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 08 May 2017 - 12:12 AM

Hi Satchfan

Pls clarify the following before I do your latest instructions: (SEE CAPS INSERTED BELOW)

Michael

 

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work (DO YOU MEAN THAT I SAVE THE NEWLY CREATED  'LOG' FILES OF FRST & FIXLIST IN THE SAME LOG FOLDER OR DO YOU MEAN THAT I SAVE RENAMED FIXLIST.TX IN THE FRST PROGRAM FOLDER?)
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 08 May 2017 - 02:13 AM

The original FRST program is on your desktop. The 'fix' must also be saved to the desktop, (ie, the same location as FRST). You will end up with FRST on your desktop and the newly-created Fixlist.txt also on your desktop.

 

Let me know if you need further clarification.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 flipper88

flipper88
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 08 May 2017 - 04:04 AM

I ran Farbar

I copied renamed text log into Notebook and saved to desktop where FRST is

I ran FRST and it created Fixlog.txt (this demanded a restart)

after restart, fixlist.txt is no longer on the desktop

downloaded TFC and did all TFC stuff

uninstalling Chrome - after 'Stop and Clear'- there is no option to disconnect account

anyway, went to 'add/remove programs' and Chrome will not uninstall

Have not proceeded past this point

 

arrggh

 

:-)

 

Michael

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 08 May 2017 - 04:13 AM

went to 'add/remove programs' and Chrome will not uninstall

What happens when you try to uninsall Chrome via the Control Panel?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 flipper88

flipper88
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 08 May 2017 - 04:24 AM

via Control panel I get this message. see attached. can't proceed past this point. this infection also hijacked IE when I tried to use this as chrome alternative

 

Attached Files



#14 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 08 May 2017 - 04:52 AM

Disconnect from your Chrome account and try uninstalling it again:

  • open Chrome
  • at the top right, click More > Settings
  • under ‘Sign in’, click Disconnect your Google Account
  • click Disconnect account.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 satchfan

satchfan

  • Malware Response Team
  • 2,918 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:44 AM

Posted 11 May 2017 - 01:54 AM

Hi flipper88

It has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you still need help. If I don't get a reply within 24 hours I'll assume you no longer need help and close this topic.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users