Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

extension.citypage.today Virus Removal Help


  • This topic is locked This topic is locked
13 replies to this topic

#1 ctspeedy95

ctspeedy95

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 05 February 2018 - 04:54 PM

I somehow managed to get this virus despite having a working Windows Defender running and scanning all the time. All it really is doing is annoyingly redirecting all my google searches to Bing but I imagine this isn't something I want to leave on my laptop. I don't know if this is related, but it's also now asking me every time I boot up what operating system I want to run and I hit enter on Windows 10 and it boots up fine. I just need help removing this virus completely. There's nothing showing up in my Google Chrome extensions that would explain what is going on. 



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 05 February 2018 - 05:26 PM

Hello

  •   Welcome to Bleeping Computer.
  •   My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  •   Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  •   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  •   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  •   In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  •   Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.


 Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
   


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ctspeedy95

ctspeedy95
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 05 February 2018 - 05:33 PM

I attached the files instead. It was crashing my chrome trying to paste them in. Hopefully that doesn't screw things up. 

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 05 February 2018 - 06:07 PM

1.

Download Malwarebytes Anti-Rootkit Supplement from here

Once you have downloaded the tool (contained in a .zip folder), you will need to extract the contents. We recommend extracting to your desktop.
 
To extract the files, locate the zipped folder that you want to unzip (extract) files or folders from. To unzip all the contents of the zipped folder, press and hold (or right-click) the folder, select Extract All, and then follow the instructions. Save them on your desktop

After the files are extracted, double-click the mbar.cmd file. If you are unsure which file this is, try double-clicking both files named mbar - only one of them will run.
 
Update the Database, then click on Next, then on Scan.

  • Let it completes its scan (this can take a while);
  • Once the scan is done, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Copy/paste the content of that log in your next reply;

 

2.

After running MBAR please run FRST again and post the new FRST.txt


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 ctspeedy95

ctspeedy95
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 05 February 2018 - 06:26 PM

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2018.02.05.10
  rootkit: v2018.01.23.01
 
Windows 10 x64 NTFS
Internet Explorer 11.1002.17074.0
colin :: DESKTOP-JSCGSU8 [administrator]
 
2/5/2018 4:09:50 PM
mbar-log-2018-02-05 (16-09-50).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 237962
Time elapsed: 9 minute(s), 43 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 1
C:\Users\colin\AppData\Local\wndplt.dll (Trojan.ProxyAgent) -> Delete on reboot. [a7f7746d8f28a0963fede513c53ded13]
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 1
HKU\S-1-5-21-1363144225-3694055549-4064340856-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|wndplt (Trojan.ProxyAgent) -> Data: rundll32.exe "C:\Users\colin\AppData\Local\wndplt.dll",wndplt -> Delete on reboot. [a7f7746d8f28a0963fede513c53ded13]
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Users\colin\AppData\Local\wndplt.dll (Trojan.ProxyAgent) -> Delete on reboot. [a7f7746d8f28a0963fede513c53ded13]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
Again I attached the FRST.txt file. 

Attached Files

  • Attached File  FRST.txt   876.36KB   2 downloads


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 05 February 2018 - 06:50 PM

 
Download attached fixlist.txt file and save it to  the Desktop

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   2.33KB   22 downloads

 

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 ctspeedy95

ctspeedy95
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 06 February 2018 - 11:06 AM

I can't download the fixlist. Everytime I try I get a "failed - insufficient permissions" error. I've tried downloading it to the desktop, downloads, documents and even a couple thumbdrives and nothing. Still the same error. 


Edited by ctspeedy95, 06 February 2018 - 11:13 AM.


#8 ctspeedy95

ctspeedy95
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 06 February 2018 - 11:33 AM

Nevermind the failed downloads, I got it to work: 

 

 

Attached Files



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 06 February 2018 - 11:39 AM

    • On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.

      Note: You need to download the version compatible with your machine i.e. 32-bit or 64-bit.

      Plug the flashdrive into the infected PC.
    • Enter System Recovery Environment Command Prompt:

      Instructions for Windows 10
      Instructions for Windows 8
      Instructions for Windows 7
    • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 08 February 2018 - 08:38 AM

Hello, do you still need help? If I haven't received a reply I will close this topic in 3-5 days.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 ctspeedy95

ctspeedy95
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 08 February 2018 - 10:56 AM

Sorry, yes I'm still here. I'm having trouble booting to advanced startup. I don't know why I can't do it without a installation USB. I have one at home I can try and use tonight. 



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 08 February 2018 - 12:02 PM

Here is something else you can try if your unable to get into advanced setup. make sure to do all the downloading on a clean computer first.
 
If your computer does not have the Windows Recovery Environment installed and available you can use the following method to run the Recovery Environment from a bootable USB disk.

NOTE: This USB disk needs to be created from a clean computer. You cannot use an infected computer for this process

NOTE: An 8GB USB 2.0 stick is required or at least recommended. In some cases a USB 3.0 disk can be used but some computers have issues booting from USB 3.0 disks.

Example drive (no endorsement implied, example only) - This drive example has not been tested by me. It is an older 2015 model with many good reviews though.
Amazon: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)
NewEgg: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)


STEP 1
Download a Windows 10 ISO image from Microsoft.

Method A: Using the Microsoft Media Creation Tool
https://www.microsoft.com/en-gb/software-download/windows10
Download the Media Creation Tool: https://go.microsoft.com/fwlink/?LinkId=691209

Follow the instructions displayed on the tool to download the Windows 10 ISO image.

In my testing I was not prompted for a license key to download the latest Windows 10 ISO image.
At the time of this writing 2017/12/21 there was only one ISO image offered. Windows 10

32-bit x86 or 64-bit x64

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit


Method B: If Method A: above is not working for you then you can try the following method
Microsoft Windows and Office ISO Download Tool (this is not an authorized Microsoft tool, but appears to be legal)
https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-and-office-iso-download-tool
Download: https://www.heidoc.net/php/Windows%20ISO%20Downloader.exe

STEP 2
If you were unable to use the Windows Media Creation Tool in STEP 1 to create a USB disk then you can use this tool to burn the Windows 10 ISO image from STEP 1 above.

Download the Windows USB/DVD Download Tool from Gitbub and save to your computer.
English version: https://github.com/mantas-masidlauskas/wudt/raw/master/Downloads/Windows7-USB-DVD-Download-Tool-Installer-en-US.exe

Then install the Windows USB/DVD Download Tool and run it to burn a bootable USB disk from the ISO image. Browse to the location where you saved the Windows 10 ISO image in STEP 1
Note: This tool should work on XP, Vista, Windows 7, or Windows 10 - it is simply used to make a bootable USB disk. Remember, all of this needs to be done on a clean computer.

MCWx4mf.jpg

5IvFX1o.jpg

1hzeggf.jpg

g1iLLSH.jpg

KkzebK6.jpg


STEP 3
Please download the Farbar Recovery Scan Tool and save it to your desktop or other location you know where it's saved to. Then copy it to the USB disk you just created.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

STEP 4
Shut down the infected computer. Do Not insert the USB disk you created until the infected computer has been shut down.
Once the computer is shut down then insert the newly created Windows 10 USB disk into the infected computer and power it back on and press the appropriate key to bring up the boot menu. The link below will help show you which key for various computers manufacturers is used to bring up the boot menu. Most will be either USB or UEFI depending on hardware and settings. If the computer boots up into the Normal Windows instead of the USB stick it may become infected and need to be completely redone again. Make sure you select the correct boot option.

How to Boot Your Computer from a USB Flash Drive

STEP 5
Once the computer starts to boot up from the USB disk, follow the screens and directions below.

Gvt31DC.jpg

wk8hs0E.jpg

F2gCAoF.jpg

X8NEEvb.jpg

You will need to open NOTEPAD.EXE to help find out which drive is your Windows drive and which drive is your USB disk drive you just created

O27kz3e.jpg

RRI6og4.jpg

For the more advanced user you could also use DISKPART to help locate which drive is mapped to your USB disk. In most cases the USB disk will be either D: or E: but depending on hardware the drive could be a much higher level such as H: or higher.

Example only - your hardware will look different
DISKPART> list volume

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 Z DVD-ROM 0 B No Media
Volume 1 C NTFS Partition 931 GB Healthy System
Volume 2 Q SEA-USB-4.0 NTFS Partition 3725 GB Healthy
Volume 3 D NTFS Removable 7636 MB Healthy
Go back to the DOS Command Prompt (if you used DISKPART type in Exit and press the Enter key) and type in the following and press the Enter key.

CD /D D: (or E: or whichever drive letter the USB stick is on)

Then type in CD\
and press the Enter key to get to the root or top of the USB disk.

Then type in FRST or FRST64 (depending on which version your computer uses) and click the Scan button.

A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

If all went well you should now be able to boot into Normal Mode and run Malwarebytes and run a Threat Scan to have it finish the removal process.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 12 February 2018 - 09:53 AM

Hello, do you still need help? If I haven't received a reply I will close this topic in 3-5 days.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:00 PM

Posted 20 February 2018 - 02:55 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users