Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Going insane over this


  • This topic is locked This topic is locked
14 replies to this topic

#1 Garytwitts

Garytwitts

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 01 March 2018 - 08:00 PM

Hi everyone, first time poster. I've really gone mad about this problem and I've exhausted every possible avenue to resolve this.

 

Basically, I'm hijacked by delton.com and another called go2pubserve.com. On certain websites (reputable ones), I always get redirected to some crappy game or shopping website. I cannot use youtube, videos or the main screen do not load.

 

There is not a trace of this on my cpu, I've searched manually in regedit, downloaded several anti-malware products, read dozens of removal guides, just keeps coming back. Nothing is on my system from what I can see. I've also even re-installed Windows 10 and that didn't work.

 

I only get it at home from my ISP here. I'm working in Egypt but I'm not Egyptian and my Arabic is crap so their tech support is woeful. Eventually, after almost an hour of going back and forth with the tech guy, we created a new WIFI account and altered some settings. It worked, until the next morning and the dreaded deloton crap was back. WIFI, ethernet, it doesn't matter it just keeps coming back to haunt my life.

 

It has to be something coming from my home network. When I use my iPhone or laptop on outside connections, everything is fine.

 

I don't know what to do and it's so annoying. Any advice?


Edited by Garytwitts, 01 March 2018 - 08:02 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 02 March 2018 - 07:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


:step1:
Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2:
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3:
Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs for my review.

Let me know what problems persists.
==============================

#3 Garytwitts

Garytwitts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 03 March 2018 - 04:44 PM

Hi thanks for getting back to me.

 

Malwarebytes found one pup file. The others I'm attaching the reports. Thanks for your help. Let me know what next to do.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 04 March 2018 - 10:20 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
Tcpip\Parameters: [DhcpNameServer] 185.162.9.197 8.8.4.4
Tcpip\..\Interfaces\{58c3f01a-3d4f-4df2-a542-ff5cffd8368a}: [DhcpNameServer] 185.162.9.197 8.8.4.4
Tcpip\..\Interfaces\{a0874cdb-f9e2-470f-9cd5-6ddb7e2e09ca}: [DhcpNameServer] 185.162.9.197 8.8.4.4
URLSearchHook: [S-1-5-21-4290669990-905087203-1357214960-1001] ATTENTION => Default URLSearchHook is missing

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {E81216E1-8CE9-4A3C-B10C-8E808E22F046} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION

RemoveProxy:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 Garytwitts

Garytwitts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 04 March 2018 - 05:38 PM

Hi. Still get the same problem even after doing those fixes.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 05 March 2018 - 08:36 AM

Hi,

Are these redirects happening on all browsers or just Edge?

Are you Syncing any browsers with other Devices?

#7 Garytwitts

Garytwitts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 05 March 2018 - 09:39 AM

I mainly use Chrome but it's happening on all browsers, Chrome, Edge, Firefox. All of them.

 

No syncing of devices either.


Edited by Garytwitts, 05 March 2018 - 09:39 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 05 March 2018 - 10:23 AM

Hi,

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Let see what we can find in the Registry.

Download the Sustemlook appropriate for you system.

SystemLook (32-Bit Version) or SystemLook (64-Bit Version)
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    delton.com;go2pubserve.com
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled [b]SystemLook.txt.
===

Post the logs for my review.

#9 Garytwitts

Garytwitts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 05 March 2018 - 05:29 PM

Nothing found at all. It's very weird. What do you think the problem is?

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 06 March 2018 - 08:10 AM

Hi,

May syntax is wrong, run the SystemLook and enter this (just as posted) in the Reg search box.

:regfind
delton.com
go2pubserve.com


Submit the log for my review.

#11 Garytwitts

Garytwitts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 06 March 2018 - 06:10 PM

Still nothing showing up. Copied/pasted like you asked.

Attached Files


Edited by Garytwitts, 06 March 2018 - 06:11 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 07 March 2018 - 08:51 AM

Hi,

Your copy of Chrome has been compromised

:step1: Remove Chrome from your Computer and reinstall a fresh copy later.

:step2: Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

:step3: If you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices.
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

:step4: Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

:step5: Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

:step6: Re-install Chrome and the Bookmarks.
====

Let me know if the problem persists.

#13 Garytwitts

Garytwitts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 07 March 2018 - 03:24 PM

I'd already tried that step before and didn't work. Tried it again now and still the re-direct is there.

 

I'm convinced there's something in the network that's giving me this or its very deep rooted in my system.


Edited by Garytwitts, 07 March 2018 - 03:25 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 08 March 2018 - 08:11 AM

Hi,

I know you contacted your ISP. Was you router resetted at the time?

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html
===

Possible ENTERPRISE POLICY issues.

Read the instructions on this page if applicable.
http://forums.anvisoft.com/viewtopic-51-8494-0.html

Remove Installed by enterprise policy extension from Chrome.

If you find one and cannot remove it let me know the ID NUMBER that you have found.
<<<>>>

This may also be the issue.

Forget Email. Web Sites Use Notifications to Spam Your Browser Instead
Removing notification subscriptions is easy
Works for Chrome and Firefox.
https://www.bleepingcomputer.com/news/security/forget-email-web-sites-use-notifications-to-spam-your-browser-instead/
<<<>>>

Keep me posted.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:35 AM

Posted 14 March 2018 - 07:56 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users