Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Referral Virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 FsGraphy

FsGraphy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 05 July 2017 - 02:22 AM

Hello there,

Since 2-3 days back, my browsers got hijacked by some virus, and it keeps redirecting to some websites, Malwarebytes can't find them when I search for it but Malwarebytes does block the outbound connection but even still some sites manage to redirect it.

Can anyone please help me with this? 

 

I am running Windows 10, I have tried multiple anti virus but none of them are able to find the virus. When I open Amazon, the site opens again with someone's referral ID. Please help

Attached Files



BC AdBot (Login to Remove)

 


#2 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,766 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:06 AM

Posted 05 July 2017 - 06:59 AM

Hi ,

:welcome:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  • Please do not install any new software while we are working on this system as it may hinder our process.
  • Malware removal is a complicated process and so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  • Please do not try to fix anything without being asked.
  • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from the internet and you will not always be able to access this thread.
  • Back up your data. I will not knowingly suggest you any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  • If you are confused about any instruction, stop and ask. Do not keep on going.
  • Do not repeat the steps if you face any problems.
  • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  • The fixes are for your system only. Please refrain from using these fixes on another system as it may do serious damage.
 
  • Step #1 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
      CreateRestorePoint:
      CloseProcesses:
      EmptyTemp:
      Task: {12E18356-4213-4C08-810F-646AD7858A80} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
      Task: {1362B5E8-2C35-4A69-9551-66F2AB5DA497} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
      Task: {9BDBDB48-233A-4475-925E-7371D173E28A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
      Task: {C349EA77-D6BD-427A-8E56-06B30D170E71} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
      Task: {FB67C1CA-D401-42EF-81D7-CD3127697D4E} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
      Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
      Shortcut: C:\Users\Afy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\realtech VR\OpenGL Extensions Viewer 4.1\OpenGL Extensions Viewer 4.1 Home Page.lnk -> hxxp://www.realtech-vr.com/glview
      Shortcut: C:\Users\Afy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\realtech VR\OpenGL Extensions Viewer 4.1\realtech VR Home Page.lnk -> hxxp://www.realtech-vr.com
      HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
      GroupPolicy: Restriction <==== ATTENTION
      File: C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
      End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.
 
  • Step #2 Scan with Zemana Anti-malware
    Download and install Zemana anti-malware from here.
    • Double-click to run the software;
    • Click on the gear-icon on the top right portion to navigate to Settings.
      • Click on Scan > put a tick on Create System Restore
      • Click on Advanced > put a tick on Check for Suspicious (root CA) Certificates
    • Click the home icon on top left and click on Scan
    • After scan finishes click on the report tab on the top right corner;
    • Choose the latest report by clicking on it and click on Open Report afterward.
    • Copy and Paste the contents of the report in your next reply.

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#3 FsGraphy

FsGraphy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 05 July 2017 - 09:49 AM

Hello Valinorum, 

 

Sorry for the late reply, I've done as you asked me, sorry to say but the pop up still keep on coming. While some of them are being blocked by Malwarebytes some do still pop up in chrome or firefox.

 

I don\t know why but I cant seem to upload any files, the option to attach files is greyed out. And whenever I open Bleepingcomputer there will be several attempts to redirect the site, but malwarebytes seems to block it.

 

Is there anywhere else I can send the reports?

 

http://imgur.com/a/p6y11


Edited by FsGraphy, 06 July 2017 - 02:41 AM.


#4 FsGraphy

FsGraphy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 05 July 2017 - 09:56 AM

I am using Edge now, I can upload them.

A weird thing just happened, whenever I try to load bleepingcomputer.com/forums in chrome, the page gets stuck, I can't seem to do anything in it other than change the tabs.

 

And the weird mouse shaking also started again and even the mouse pointer freezes for some seconds

 

Please help.

Attached Files


Edited by FsGraphy, 05 July 2017 - 10:07 AM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:06 PM

Posted 07 July 2017 - 06:26 PM

Hi FsGraphy :)

Vali is currently away and he asked me to step in your thread so you don't get stuck waiting for him to comeback. I noticed something odd in the screenshot you linked, the fact that your Google Chrome shows BleepingComputer as not secure, even though it is fully HTTPS supported. Go on BleepingComputer, press on the F12 button to open the developer console, click on the two little arrows (pointing to the right) in the top right-corner, and select Security. From there, click on the View Certificate button, go to the Certification Path tab, take a screenshot of it and attach it here.

OthWSwq.png

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 FsGraphy

FsGraphy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 07 July 2017 - 11:38 PM

Hello Aura,

 

I am currently taking help in Malwarebytes, if you need the photo anyways, I'll send a link because I can\t attach it.

http://imgur.com/a/lPITs



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:06 PM

Posted 08 July 2017 - 08:36 AM

I just saw your thread over at Malwarebytes and that you're being assisted by AdvancedSetup. I'll close your thread here for the following reason:

Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.


Though I will send AdvancedSetup a PM over there regarding the HTTPS situation as it might provide some insight on what to do next.

You're still in good hands with AS, so no worries :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users