Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a redirect for one website


  • Please log in to reply
18 replies to this topic

#1 rojochispas

rojochispas

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 11 August 2018 - 03:45 PM

I am posting screen shots for this problem. When trying to get to a particular website ( http://www.kellyresearchtech.com/ka-analyzers.html) using the chrome or firefox browsers i get a pharmacy (enclosed screenshots). I have a backup browser (Epic) which is able to get to the correct website.

I have paid subscription for

Malwarebytes (lifetime)

Webroot

Hitman Pro

They have found nothing.

From your website (bleeping) i have downloaded and run

rkill

tdsskiller

mbar

adwcleaner (found two items and deleted)

 

the others found nothing and after the adw clean the website will still not come up on chrome and firefox.Ive also run Ccleaner and Glary.

 

this is a first for me, running MS since 3.0, perturbed and pissed in texas

 

note in the google search page, website is first one and it has a green arrow from webroot saying it is safe.

Note in the pharmacy result - the correct address for the krt site

enclosed the correct website from my epic browser

 

thanks for your help

Attached Files



BC AdBot (Login to Remove)

 


#2 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 11 August 2018 - 03:57 PM

I am also friends with the website owner. Thought he was hacked and i notified. He has several people try to get to website with success. so its not on his end.

btw. i deleted both chrome and firefox browsers and reinstalled.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 12 August 2018 - 09:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
CCleaner (HKLM\...\CCleaner) (Version: 5.45 - Piriform)
Version 5.45 is compromised. Version 5.45 is compromised. Delete it and get the previous version.
https://www.bleepingcomputer.com/news/software/ccleaner-v545-pulled-due-to-anger-over-usage-data-collection/

HiJackThis (HKLM-x32\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)
HijackThis is no longer supported and not ready for your Operating system.
Use the Farbar Recovery Scan Tool from now on to report problems.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
CHR NewTab: Default ->  Not-active:"chrome-extension://gfoabcdjalmeenbjjngidappmppchblc/homePageRedirect.html"
CHR DefaultSearchURL: Default -> hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11908
CHR DefaultSearchKeyword: Default -> NortonSafe
CHR DefaultSuggestURL: Default -> hxxps://ss-sym.search.ask.com/ss?q={searchTerms}&li=ff
CHR Extension: (Norton Home Page for Chrome) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfoabcdjalmeenbjjngidappmppchblc [2017-07-11]
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>

Task: {00B4AC4E-15A4-4F0D-A631-1700A11C393E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {1036A211-5FD4-4C7B-9782-92AE4D3C5AB2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {111171C1-8AC1-45ED-863A-B93DAA0CD034} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {12B4A250-F636-47F0-82D1-24B1B64F4BBC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {1E73E42E-C113-4675-8F67-4D91415EAE74} - \WPD\SqmUpload_S-1-5-21-3001425339-2667508336-650608641-1001 -> No File <==== ATTENTION
Task: {21365656-7862-47B4-AF3C-39531D2297F8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {26047959-DBE7-42F6-A0A0-E58F5B843DFA} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {491E93FC-2311-4755-8C3E-E11D559AD6F2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6878637C-34E6-4F5A-86FC-E90C349BEDD2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {7431D54A-F80B-4C74-9585-F83E8FF3F7CA} - System32\Tasks\Lenovo\Lenovo-28014 => C:\ProgramData\Lenovo-28014.vbs [2013-03-21] () <==== ATTENTION
Task: {BAB2FC48-60C6-4324-8416-66D8D9967664} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D24B4057-9354-4A8A-84FD-B9159DE34B10} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {EFD32138-DEDB-4303-8C35-F109B8E38B81} - System32\Tasks\Lenovo\Lenovo-27982 => C:\ProgramData\Lenovo-27982.vbs [2013-03-21] () <==== ATTENTION
2018-06-27 11:24 - 2018-06-27 11:24 - 000061408 _____ () C:\Program Files\CCleaner\branding.dll
C:\Program Files\CCleaner\branding.dll

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Chrome: Delete your Chrome browsing history
https://support.google.com/chrome/answer/95589
<<<>>>

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Please post the logs and let me know if the problem persists.

#4 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 12 August 2018 - 03:12 PM

fixlog

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 13 August 2018 - 10:27 AM

Hi,

How is the computer performing now?

#6 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 13 August 2018 - 11:04 AM

same result

Attached Files



#7 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 13 August 2018 - 11:10 AM

I get the above result with Chrome, Firefox and Opera browsers.

I get the correct response with Epic browser

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 13 August 2018 - 12:35 PM

Are you Syncing these browsers with other devices?

#9 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 13 August 2018 - 01:53 PM

yes, 2nd computer also infected. no others frst enclosed

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 14 August 2018 - 07:22 AM

Hi,

Disable the Sync on all compromises computer.

Chrome.
https://support.google.com/chrome/answer/185277?hl=en&visit_id=636698449563204097-1801492810&rd=1

==

Firefox.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

===

Opera:
https://help.opera.com/en/latest/features/#sync

===

I would start with then default browser.
Then the Sync is diaable restart the computer normally.

Use the browsers and find out if the problem persists.

Do not re-sync until all your browsers have been reset.

===

If the problem is the same with the other computer try this fix.

If not then Start a new Topic and post the logs.
The problem may not be the same and we do not service 2 computers in the same topic.
When done give me the URL and I will expedite the response.

#11 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 14 August 2018 - 12:12 PM

Hi,

Disable the Sync on all compromises computer.

Chrome.
https://support.google.com/chrome/answer/185277?hl=en&visit_id=636698449563204097-1801492810&rd=1

==

Firefox.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

===

Opera:
https://help.opera.com/en/latest/features/#sync

===

I would start with then default browser.
Then the Sync is diaable restart the computer normally.

Use the browsers and find out if the problem persists.

Do not re-sync until all your browsers have been reset.

===

If the problem is the same with the other computer try this fix.

If not then Start a new Topic and post the logs.
The problem may not be the same and we do not service 2 computers in the same topic.
When done give me the URL and I will expedite the response.

 I have uninstalled Firefox, chrome and opera. I never use Edge and cannot uninstall but it is also affected

 

I have turned off sync

 

I never mentioned this second computer in the first inquiry because i know you do not work on two computers at once and this second computer is not connected with the first.   

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 14 August 2018 - 01:37 PM

Hi,

I have uninstalled Firefox, chrome and opera. I never use Edge and cannot uninstall but it is also affected
I have turned off sync


It would have been informative it you had just remove the Sync on one of the browers to find out if the problem was solved with that browser.

Please reinstall Chrome or Firefox and let me know if the problem persists.

If it does make sure the Sync has not be reestablished with the fresh install.
===

Are both the computer connected to the same Router?

===

Looking at your second computer I do not think that a fix right now would change anything.
Will see later.

#13 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 14 August 2018 - 04:43 PM

turned off sync, reinstalled chrome same result in first computer and second. this is frst for #2 computer.

both on different modems,

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:58 PM

Posted 15 August 2018 - 08:00 AM

Hi,

The only thing to clean on your second computer are these two entries.

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION


This will not stop the redirect.

As you said both are on a differing modem.
Are both of the se modems connected to the Same Router?

===

Navigate to this page.
https://support.google.com/chrome/answer/95426?co=GENIE.Platform%3DDesktop&hl=en

Check the status of the Search engines.
If you find any that you do not recognize delete it.

#15 rojochispas

rojochispas
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 August 2018 - 02:24 PM

no router, two modems in different buildings.

ran AVG boot sector scan, found 3 pdfs with supposed malware, deleted.

Superantispyware worked on this for three days, they gave up.

ran emisoft emergency kit, found nothing, did individual scans for google, bookmarks, desktop, found nothing

ran complete internet repair, nothing

what is interesting is that in the original google  internet  search page the KRT radionics has been replaced by the cialis pharmacy

enclosed the original search page and todays result

and a prnt screen what the page looks like when found by Epic browser today aug 17 (http://www.kellyresearchtech.com/ka-analyzers.html)

 

there is something in the epic browser that is avoiding the pharmacy results of chrome, firefox and opera

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users