Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that keeps coming back (installs firefox, redirects home page etc.)


  • This topic is locked This topic is locked
10 replies to this topic

#1 feus5889

feus5889

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 11 May 2017 - 10:17 AM

Hi all, 

I have been having this recurring issues with a virus that keeps coming back even after I deleted them using antivirus software. This virus would install firefox automatically, changes my google homepage to luckystarting123.com, adds a chrome shortcut to the desktop, and sometimes adds an game icon called "Big Farm" on the desktop. 

I used MalwareBytes, rkill, RogueKiller, Zemana to remove the virus, and they all seem to do a great job but it will only last for about 2-3 days, then the virus will come back and manifest itself in my laptop. 

Attached here are the FRST scan files: 

Mod Edit:  Merged topics - Hamluis.
I have the same issue as the user in this topic: https://www.bleepingcomputer.com/forums/t/645959/help-me-chrome-browser-hijackadware-and-malware-keeps-coming-back/?hl=%2Bbig+%2Bfarm
 
Firefox would be installed automatically, Google Chrome icon would appear on the desktop, and my Chrome homepage would get changed to luckystarting123.com. 
 
I tried deleting the virus by using rkill, RogueKiller, MalwareBytes (it's detected as Adware.Elex in MalwareBytes) and even Zemana but to no avail, it keeps coming back. 

Please help me!
 

Attached Files


Edited by hamluis, 11 May 2017 - 11:13 AM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:48 AM

Posted 12 May 2017 - 08:14 PM

Welcome. :)
  • Highlight the entire content of the quote box below.

Start::
FirewallRules: [{85CF07F7-79B5-4E60-A12D-B0CDF7BE9FC2}] => (Allow) LPort=6900
FirewallRules: [{0793041F-6BF4-442C-9974-11B7E8C88F81}] => (Allow) LPort=6900
FirewallRules: [{964D621E-DFF0-43E4-989F-6BDBB829998F}] => (Allow) LPort=6966
FirewallRules: [{6701FB76-1B4B-4D04-B6EF-A6E2F16D1F65}] => (Allow) LPort=6966
FirewallRules: [{571494E4-AAA0-496D-BEBD-4BDDEF9F48D2}] => (Allow) LPort=6968
FirewallRules: [{499F9A81-C67E-4B98-8925-841983AF1D76}] => (Allow) LPort=6968
FirewallRules: [{4DF91A07-B49D-4AAD-AAEF-9533AD0F922F}] => (Allow) LPort=6903
FirewallRules: [{2982119A-FF1E-4E74-A7BE-AD3D78CD2673}] => (Allow) LPort=6903
FirewallRules: [{6B2F4C57-DF66-45F4-9213-AA062C441E7F}] => (Allow) LPort=6894
FirewallRules: [{453CCF55-05AD-49CE-9BED-BD092005A071}] => (Allow) LPort=6894
FirewallRules: [{7274326A-15B7-44EB-9000-4BC1F4FC3D03}] => (Allow) LPort=6980
FirewallRules: [{348D3EAF-7B87-4F00-8958-355A29BE373F}] => (Allow) LPort=6980
FirewallRules: [{0349B001-64E9-4734-AB9A-9D0F81670355}] => (Allow) LPort=6924
FirewallRules: [{8E2217CF-8DE9-487D-9F7E-42AE367B7088}] => (Allow) LPort=6924
FirewallRules: [{8C30C80B-C541-4850-AA66-19B617FDB6CE}] => (Allow) LPort=8370
FirewallRules: [{03796F71-9E44-4253-8EB0-27E6B8DD092A}] => (Allow) LPort=8370
FirewallRules: [{15F643CD-16B4-484D-A744-B20049837750}] => (Allow) LPort=8370
FirewallRules: [{CD89C3F3-EE28-4356-A1C3-0992C99A8A10}] => (Allow) LPort=8370
FirewallRules: [{CD0BF99E-6830-409E-B183-6C5FDCFA9503}] => (Allow) LPort=6959
FirewallRules: [{586A5C47-7B62-4DCA-A981-C6ED6E535E53}] => (Allow) LPort=6959
FirewallRules: [{5FA9C70B-3326-4899-9146-A9D1496E1525}] => (Allow) LPort=6885
FirewallRules: [{7CF9D38D-5CC9-4562-9BCF-F636438FAE3B}] => (Allow) LPort=6885
FirewallRules: [{6CD45128-FB61-49B3-83FF-E1C63B037E26}] => (Allow) LPort=6977
FirewallRules: [{CA13EE15-F9FC-4A88-B371-C6285C087085}] => (Allow) LPort=6977
FirewallRules: [{8FC359CE-E76C-44DC-A38A-C14D24430CAB}] => (Allow) LPort=6921
FirewallRules: [{B13A6D5A-A3F3-4B93-BFBE-F29AC3E642F8}] => (Allow) LPort=6921
HKU\S-1-5-21-1816971154-4276762950-2494795807-1001\...\Run: [background_fault] => "C:\Users\Ji\AppData\Local\background_fault\aswRD.exe" "C:\Users\Ji\AppData\Local\background_fault\bf.dll",background_fault_collector <===== ATTENTION
CHR Profile: C:\Users\Ji\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-11] <==== ATTENTION
HKU\S-1-5-21-1816971154-4276762950-2494795807-1001\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.) <==== ATTENTION
R3 gkernel; C:\Users\Ji\AppData\Local\Temp\gkernel.sys [50680 2017-05-11] () <==== ATTENTION
C:\Users\Ji\AppData\Local\Temp\gkernel.sys
C:\Program Files (x86)\Zoohair\Application\chrome.exe
2016-11-15 19:54 - 2016-11-15 19:54 - 0178176 _____ () C:\Users\Ji\AppData\Roaming\Setup71781.exe
2015-07-14 14:25 - 2017-05-11 22:16 - 0000165 _____ () C:\Users\Ji\AppData\Roaming\sp_data.sys
2016-10-24 01:36 - 2017-04-06 16:36 - 0000366 _____ () C:\Users\Ji\AppData\Roaming\WB.CFG
2015-11-16 18:50 - 2016-02-18 13:47 - 0007603 _____ () C:\Users\Ji\AppData\Local\Resmon.ResmonCfg
2016-09-15 04:52 - 2016-09-15 04:52 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-12-04 00:56 - 2012-09-07 19:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2014-12-04 00:56 - 2009-07-22 18:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-12-04 00:56 - 2012-09-07 19:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
C:\Users\Ji\Downloads\setup (3).exe
2017-04-14 17:55 - 2016-11-11 18:13 - 1886344 _____ (Microsoft Corporation) C:\Users\Ji\AppData\Local\Temp\dllnt_dump.dll
HKU\S-1-5-21-1816971154-4276762950-2494795807-1001\...\ChromeHTML: -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.) <==== ATTENTION
Task: {0727D557-5CDF-4E35-BF8A-2A4CAAFB5045} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {0CB105F9-FC41-4BE3-8CFB-12607C14C08E} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {39AC05EA-C641-42C9-8775-C2E0C3CB60B8} - \Dresywoks -> No File <==== ATTENTION
Task: {44954CD9-4ED4-4AF5-A598-F03A554E28D9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {5A5CE712-12A0-485A-9EE8-D43C8336F720} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-05-11] () <==== ATTENTION
Task: {60248161-79ED-4B6A-8D4B-0272A80B3273} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {62E0E11E-607E-4A2E-8A32-E7F6E648BE0D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {7A76516B-D334-4136-97D8-D87CA75BB066} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8947AE0C-AA47-415E-8FFC-AAABB1588171} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A9A19EDF-0494-4155-A544-615F74320221} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {BEA6485D-4A40-4406-A3B6-5378CC246DFD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {BEC947F8-9A91-4947-96EC-DE7472A514C6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {DAF580E8-4660-4810-961F-1964F50CE6D2} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {DB099EBD-F215-4FA2-9D7A-45984C6767CC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {E0C08CBF-4860-478B-9DB9-78589E515302} - \WPD\SqmUpload_S-1-5-21-1816971154-4276762950-2494795807-1001 -> No File <==== ATTENTION
ShellExecuteHooks: No Name - {79DECBF8-0D50-11E7-BF4F-64006A5CFC23} - -> No File
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
Task: {0727D557-5CDF-4E35-BF8A-2A4CAAFB5045} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {0CB105F9-FC41-4BE3-8CFB-12607C14C08E} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {39AC05EA-C641-42C9-8775-C2E0C3CB60B8} - \Dresywoks -> No File <==== ATTENTION
Task: {44954CD9-4ED4-4AF5-A598-F03A554E28D9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {60248161-79ED-4B6A-8D4B-0272A80B3273} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {62E0E11E-607E-4A2E-8A32-E7F6E648BE0D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {7A76516B-D334-4136-97D8-D87CA75BB066} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8947AE0C-AA47-415E-8FFC-AAABB1588171} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A9A19EDF-0494-4155-A544-615F74320221} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {BEA6485D-4A40-4406-A3B6-5378CC246DFD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {BEC947F8-9A91-4947-96EC-DE7472A514C6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {DAF580E8-4660-4810-961F-1964F50CE6D2} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {DB099EBD-F215-4FA2-9D7A-45984C6767CC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {E0C08CBF-4860-478B-9DB9-78589E515302} - \WPD\SqmUpload_S-1-5-21-1816971154-4276762950-2494795807-1001 -> No File <==== ATTENTION
R3 gkernel; C:\Users\Ji\AppData\Local\Temp\gkernel.sys [50680 2017-05-11] () <==== ATTENTION
2017-04-14 17:55 - 2015-02-13 00:47 - 00000000 ___HD C:\Program Files (x86)\Temp
2017-04-14 17:55 - 2016-11-11 18:13 - 1886344 _____ (Microsoft Corporation) C:\Users\Ji\AppData\Local\Temp\dllnt_dump.dll
S2 FirefoxDL; C:\WINDOWS\TEMP\hp1E0B.tmp\QQBrowser.exe [131640 2015-01-06] (Tencent Inc.)
Task: {77813FB4-088A-4F7C-8362-04F436073F4A} - no filepath
IFEO\GoogleUpdate.exe: [Debugger] 324095823984.exe
IFEO\GoogleUpdaterService.exe: [Debugger] 8736459873644.exe
Folder: C:\WINDOWS\SysWOW64\3333333
Folder: C:\WINDOWS\SysWOW64\00
Folder: C:\WINDOWS\SysWOW64\1111
Tcpip\Parameters: [DhcpNameServer] 202.188.18.188 1.9.1.9
Tcpip\..\Interfaces\{026cc9cb-8a7c-4b29-8273-df06ca31f7e2}: [DhcpNameServer] 1.9.1.9 202.188.0.133
Tcpip\..\Interfaces\{6acc62d6-778d-43a8-a96e-df36967578a5}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{82241975-9414-47e7-9958-f3197270da5c}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{82241975-9414-47e7-9958-f3197270da5c}: [DhcpNameServer] 202.188.18.188 1.9.1.9
Tcpip\..\Interfaces\{9d14a70f-12e4-484e-b6b9-b367a139a1a3}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{9d14a70f-12e4-484e-b6b9-b367a139a1a3}: [DhcpNameServer] 172.20.10.1
CMD: Dir /a:d C:\WINDOWS\SysWOW64
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:
iO5EZayK.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 feus5889

feus5889
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 12 May 2017 - 10:33 PM

Hi Mr. JSntgRvr, thank you for your reply. 

 

What should I do with the content in the quote box after copying them? 
Am I supposed to paste the content in the quote box somewhere?

Cheers,
feus5889

 


Edited by feus5889, 12 May 2017 - 10:35 PM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:48 AM

Posted 12 May 2017 - 10:40 PM

Once you click the fix button it will be processed by frst from the clipboard.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 feus5889

feus5889
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 13 May 2017 - 12:52 AM

Hi, here are the text files after running FRST, Junkware Removal Tool, and AdwCleaner. 

 

 

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:48 AM

Posted 13 May 2017 - 09:05 AM

Re-scan with AdwCleaner and click on the Clean button.

 

 One more scan:

favicon-32x32.png Please download Malwarebytes to your desktop.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.

02-malwarebytes-premium-scan-methods.jpg


  • After a scan has been executed, scan results are displayed.
  • Put a checkmark on all detected and click on "Quarantine Selected"
  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.

You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 feus5889

feus5889
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 13 May 2017 - 11:08 AM

After scanning with Malwarebytes I got this report; there is 0 malware detected. 

Attached Files



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:48 AM

Posted 13 May 2017 - 11:55 AM

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 feus5889

feus5889
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 13 May 2017 - 12:25 PM

It's doing great so far, no signs of virus. Hopefully it stays this way! 
I'll keep you posted, Mr. JSntgRvr. 

Thanks for your help.



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:48 AM

Posted 13 May 2017 - 01:10 PM

Congratulations :)

 

Lets cleanup those diagnostic tools you don't need.

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)

 

Always keep an antivirus active and updated.

 

Best regards.   :hello:


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:48 AM

Posted 17 May 2017 - 05:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users