Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Amazon sign-in redirect


  • Please log in to reply
1 reply to this topic

#1 mw14000

mw14000

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 15 January 2018 - 04:57 PM

This situation keeps getting more complicated as time goes on. I'll try to explain the best I can and in a chronological fashion.

 

Prior to the problem below, I experienced a hard drive failure (7 year old seagate just died) and popped a new one into place. I installed Windows 7 and put my backups back on my laptop. This occurred on December 28-30th. Since replacing the hard drive, everything has been normal until 3 days ago.

 

I share an Amazon prime account with my brother. Starting 3 days ago, I get redirected to this page when logging in to Amazon: https://i.imgur.com/Sn5TXod.jpg (sorry about the literal picture of a computer screen, I used my phone to text it my brother so we could investigate).

 

This has never happened before and does not happen on any other computer that isn't my laptop. I was obviously concerned about phishing, so I knew something was wrong. The URL during the redirect (which I could link if requested) appears to be legitimate, but I could be wrong. Since this began, my browser (Firefox) has been repeatedly crashing at random points in time. Sometimes it crashes on startup, sometimes when opening a new tab. it's completely random. It crashed while making this post, just out of spite.

 

I tested the redirect to see if it happens with any other browsers. It also occurs with Chrome, a fresh install of Firefox, but not with IE. The Amazon sign-in will occur normally (no re-direct) with IE, but I am greeted with this error before and after signing in: https://i.imgur.com/awubFxK.png?1

 

After doing this testing, I downloaded AVG, Malwarebytes, and the Windows Malicious Software Removal tool and ran them all. AVG found nothing. Malwarebytes found some registry keys that I quarantined and took care of. This didn't fix it. The Windows tool found 5 files that it took care of. This still didn't fix it.

 

Since running those tools, Malwarebytes is now actively stopping something called "Trojan.Dridex" every hour. It quarantines the file (bcrypt.dll), but I get a real-time alert the next hour, on the hour, that it quarantined it again. I saved the log file if requested. Despite all of this, I'm still getting the Amazon redirect.

 

I'm not sure what to do or how to proceed at this point. I changed passwords as necessary, but I'm totally lost. Any help or assistance would be greatly appreciated. Thanks in advance!

 

Edit: Since making this post, AVG just found "Win64:Malware-gen" and quarantined/deleted it. Still getting the redirect.

 

Edit2: I also just found a task called "TpmInit.exe" that is scheduled to run at :23 every hour. It is located in the directory C:\Windows\System32\5557 along with the infected file bcrypt.dll. How should I proceed with these system32 files?

 

Edit3: I think I solved this myself. I downloaded HitmanPro, which not only deleted C:\Windows\System32\5557\bcrypt.dll, but another .dll contained in an oddly-named subfolder stored in in C:\Users\Username\Appdata\Roaming. This subfolder kept re-appearing after deletion, so I restarted and it was gone. The redirect no longer occurs on any browser. This was what the software described as "Gen.Variant.Mikey" and was evidently hijacking my browser, among other things. I'm gonna just run some more AV scans and call it good, unless anyone on here can offer more suggestions.


Edited by mw14000, 15 January 2018 - 08:18 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:26 PM

Posted 16 January 2018 - 08:42 AM

Welcome to BC....

 

Along with the programs you ran and ended the redirect...I suggest you use the programs below to clean,

remove malware and remove adware. The last program can be used to check security and advise on programs needing updating.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Download Malwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

 

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users