Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unstopaccess.net browser hijack and unchangable LAN setting


  • This topic is locked This topic is locked
9 replies to this topic

#1 scottyvor

scottyvor

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 27 May 2017 - 04:12 PM

Hi,

 

Newly registered here as I've had to admit I've come to the end of knowledge on how to deal with this issue. It is basically the same as the issue below, but the solution provided was tailored for the OP, and I am unable (and not stupid enough :P) to butcher the fix file proved.

 

https://www.bleepingcomputer.com/forums/t/645718/unstopaccesscom-browser-hijack/

 

Like this thread, I was getting the safesearch bar hijacking different pages, including Google, to insert ad results and increase page load times. I ran the usual basic anti-adware and anti-malware suites (Ad aware, Malwarebytes, Bitdefender, etc) which didnt seem to resolve it, so escalated to Hitmanpro and Zemara, which seemed to help with the browser hijack element. However, I'm not convinced I'm fully clean. When I go into "Internet properties", "Connections", "LAN settings", the "use automatic configuration" field is populated with:

 

http://unstopaccess.net/wpad.dat?91291b913be84c99c5a5d8fe2d571b0130964396

 

Although it's unchecked, I can't remove it no matter how many times I delete the URL. I click OK, then open the LAN settings again, and it's back.

 

In addition, I seem to be having some connectivity issues still. It may or may not be connected but my Gigabyte motherboard update utility now no longer connects to the update servers. All this leads me to believe that, despite the scans and sweeps, something of the hijack remains. Like the previous poster I don't want to extend past my limits and end up damaging anything.

 

Have attached my FRST and Addition files here already for your convenience, and won't attempt any further fixing outside of being told in this thread.

 

Huge thanks in advance, appreciate the work you guys do here! :)

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 01 June 2017 - 04:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/647826 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 scottyvor

scottyvor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 04 June 2017 - 03:34 PM

  • Unchanged issues from original post. I believe I have de-fanged the actual infection through the original multiple scans, but I can't be 100% sure it's fully fixed and healthy. As noted, LAN settings is one odd area that looks likes been messed with and I can't change back, and I can't be sure of other areas - hence logs posted for your review.
  • New FRST log attached. Should be no significant change as I haven't used the PC much.
  • No windows CD/DVD. It was originally a pre-built PC and I still use the original activation code on a Windows sticker on the side of the tower.
  • Cheers.

Attached Files

  • Attached File  FRST.txt   115.03KB   2 downloads


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 05 June 2017 - 07:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 

However, I'm not convinced I'm fully clean. When I go into "Internet properties", "Connections", "LAN settings", the "use automatic configuration" field is populated with:

Remove these settings.

Make sure that ONLY Automatically Detect Setting is Checked.
Remove all the other check marks, proxy and all.
Click the apply button.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-05-07]
CHR Extension: (Chrome Media Router) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-07]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {B5065817-1584-4B5E-B104-445735D68C63} - System32\Tasks\{57E1C806-5FD0-4BAA-B721-34200674384B} => pcalua.exe -a "C:\Program Files\ByteFence\ByteFence.exe" -c /uninstall
AlternateDataStreams: C:\Users\Admin\Downloads\378.92-desktop-win10-64bit-international-whql.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\7z1700-x64.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\Adware Removal Tool by TSA.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\adwcleaner_6.046.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\adwcleaner_6.047.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\aida64extreme590.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\AMD Ryzen Master UI.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\amd-chipset-drivers-software-17.10rcp22-apr27.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\BRU_setup_3.0.0.1.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\ChromeSetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\CMASetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\cpu-z_1.79-en.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\CrystalDiskInfo7_0_5.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\Detection(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\dfsetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\duplicatephotocleanersetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\FRST64.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\hitmanpro_x64(3).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\hitmanpro_x64(4).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\InstallMyDriveConnect(2).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.122-1.0.1976.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\mbar-1.09.3.1001(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\MSI_Kombustor_Setup_3.5.0.4_x64.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\mssstool64.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\Namexif.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\Nexus Mod Manager-0.63.13.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\OriginThinSetup(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\Setup.x86.en-US_ProPlusRetail_4G3NT-F9RT9-Q6WX6-GTRVD-97697_TX_PR_.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\setup_galaxy_1.2.6.25.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\SteamSetup(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\SteamSetup(2).exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\tdsskiller.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\UnityWebPlayer.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\UnityWebPlayer64.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\UplayInstaller.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\Zemana.AntiMalware.Setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Admin\Downloads\ZHPCleaner.exe:BDU [0]
C:\Windows\System32\Tasks\{57E1C806-5FD0-4BAA-B721-34200674384B}

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/

============================

Please let me know what problem persists with this computer.

#5 scottyvor

scottyvor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 05 June 2017 - 10:34 AM

Hi,

 

Thanks for this. Have followed the steps to the letter and just finished resetting my browsers. See fixlog attached.

 

What did you make of the initial logs? Were there legitimate issues there that were just fixed, or was I being over-cautious?

 

One reason I ask is because, although the system looks to be running ok, the LAN setting is still changing and being overwritten with "unstopaccess.net...". To make it clear - the settings are as you suggest - "automatically detect settings" is ticked, "use automatic configuration script" is unticked, as is the proxy setting. I have just tried deleting this value after the fix, and again it always comes back. No matter what combination I try to delete and save the cleared field it's back the next time I open these settings.

 

Is this something I should be worried about? I realise the auto config script isnt ticked so isnt being used, but I am still uncomfortable with something on my system overriding my settings, and worry if its symptomatic of an infection still? See screenshot.

 

Thanks again for your time.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 06 June 2017 - 07:37 AM

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
unstopaccess.net
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#7 scottyvor

scottyvor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 June 2017 - 12:48 PM

Farbar Recovery Scan Tool (x64) Version: 05-06-2017
Ran by Admin (06-06-2017 18:46:03)
Running from C:\Users\Admin\Downloads
Boot Mode: Normal

================== Search Registry: "unstopaccess.net" ===========


====== End of Search ======

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 07 June 2017 - 07:20 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

RemoveProxy:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists run this program.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#9 scottyvor

scottyvor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 07 June 2017 - 12:26 PM

Excellent, it's looking better.  I ran only the first operation with the fix file, and after the reboot I checked the Internet Options - unstopacess no longer the default value there. :) Log attached.

 

With that operation successful are you guys happy the machine is secure now? Or is there value in running RogueKiller anyway?

 

Will go with whatever you suggest, but on my side it's looking better and would consider this resolved. :) Thanks so much for your help - you do good work here.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 07 June 2017 - 12:56 PM

I think you are good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users