Jump to content

Chrome redirect problem


Recommended Posts

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

1. Please run a Threat Scan with Malwarebytes

Start Malwarebytes 2.0..........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button and post the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

=================================

Please download and run AVAST-Browser-Cleanup: (let it clean what it finds)

http://files.avast.com/files/tools/avast-browser-cleanup.exe<----AVAST browser cleanup

=================================

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Next..................

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Next.........

Please Update and run a Threat Scan (Malwarebytes)

Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine All that's found

MrC

Link to post
Share on other sites

MrC.

 

Here are the contents of the log files:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-12-2014
Ran by ronweb1 at 2014-12-27 10:29:30 Run:1
Running from C:\Users\ronweb1\Desktop
Loaded Profile: ronweb1 (Available profiles: ronweb1 & Michael & Kaeli & Jerri)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
GroupPolicyUsers\S-1-5-21-826295656-1837401770-3069193324-1009\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = http://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = http://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
C:\Users\Michael\AppData\Local\Temp\fwgiqapy.dll
C:\Users\Michael\AppData\Local\Temp\ICReinstall_Kitara_Installer.exe
C:\Users\Michael\AppData\Local\Temp\install_flashplayer16x32au_mssd_aaa_aih.exe
C:\Users\Michael\AppData\Local\Temp\Quarantine.exe
C:\Users\Michael\AppData\Local\Temp\sqlite3.dll
C:\Users\Michael\AppData\Local\Temp\WHSConnectorInstall.exe
C:\Users\ronweb1\AppData\Local\Temp\CreativeCloudSet-Up.exe
C:\Users\ronweb1\AppData\Local\Temp\Quarantine.exe
C:\Users\ronweb1\AppData\Local\Temp\raptrpatch.exe
C:\Users\ronweb1\AppData\Local\Temp\Samsung_Magician_Setup_v45.exe
C:\Users\ronweb1\AppData\Local\Temp\sqlite-3.6.20-sqlitejdbc.dll
C:\Users\ronweb1\AppData\Local\Temp\sqlite3.dll
C:\Users\ronweb1\AppData\Local\Temp\_isB8F3.exe
C:\Users\ronweb1\AppData\Local\Temp\_isBCF7.exe
CustomCLSID: HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\ronweb1\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\ronweb1\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\ronweb1\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\ronweb1\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File

 

 

*****************

C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-826295656-1837401770-3069193324-1009\User => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{21A51130-7285-49FE-B3F6-2385CC71CDEA}" => Key deleted successfully.
HKCR\CLSID\{21A51130-7285-49FE-B3F6-2385CC71CDEA} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{21A51130-7285-49FE-B3F6-2385CC71CDEA}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{21A51130-7285-49FE-B3F6-2385CC71CDEA} => Key not found.
C:\Users\Michael\AppData\Local\Temp\fwgiqapy.dll => Moved successfully.
C:\Users\Michael\AppData\Local\Temp\ICReinstall_Kitara_Installer.exe => Moved successfully.
C:\Users\Michael\AppData\Local\Temp\install_flashplayer16x32au_mssd_aaa_aih.exe => Moved successfully.
C:\Users\Michael\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Michael\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Michael\AppData\Local\Temp\WHSConnectorInstall.exe => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\CreativeCloudSet-Up.exe => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\raptrpatch.exe => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\Samsung_Magician_Setup_v45.exe => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\sqlite-3.6.20-sqlitejdbc.dll => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\_isB8F3.exe => Moved successfully.
C:\Users\ronweb1\AppData\Local\Temp\_isBCF7.exe => Moved successfully.
"HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.
"HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}" => Key deleted successfully.
"HKU\S-1-5-21-826295656-1837401770-3069193324-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.

The system needed a reboot.

==== End of Fixlog 10:29:31 ====

 

 

 

# AdwCleaner v4.106 - Report created 27/12/2014 at 10:34:59
# Updated 21/12/2014 by Xplode
# Database : 2014-12-21.4 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : ronweb1 - MICHAEL
# Running from : C:\Users\ronweb1\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

File Deleted : C:\Program Files (x86)\Uninstall.exe

***** [ Scheduled Tasks ] *****

Task Deleted : ProPCCleaner_Start
Task Deleted : ProPCCleaner_Popup

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{71B97DA2-A432-42FA-AD66-28C567704807}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F2FA86A-181A-4F8F-B853-51F897A91227}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99E2F3AB-15ED-4F76-8921-2471702C2EF3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5DAAB57B-836A-456C-99D8-A5E0AF03FD94}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2C938654-2875-404A-8D95-664CC1F36620}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F969EF1-4860-4564-87FC-59925DF0EC62}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFD3A45B-3B01-47D3-8433-5A72D8026392}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D462DCAD-F466-413A-BFB1-DB0B5FE5632D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E74BB8EA-65C0-4668-A5F0-6A28108DCA84}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D40766-F80D-478A-AA30-D90A8B49C789}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{27FBF3C5-1A02-4375-ADC3-132FB74327B1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BB02A111-23B2-4242-9C8E-B093BD0A2E3C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2C938654-2875-404A-8D95-664CC1F36620}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F969EF1-4860-4564-87FC-59925DF0EC62}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{CFD3A45B-3B01-47D3-8433-5A72D8026392}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D462DCAD-F466-413A-BFB1-DB0B5FE5632D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E74BB8EA-65C0-4668-A5F0-6A28108DCA84}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{10D40766-F80D-478A-AA30-D90A8B49C789}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{27FBF3C5-1A02-4375-ADC3-132FB74327B1}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Google Chrome v39.0.2171.95

[C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}

-\\ Comodo Dragon v

[C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}

*************************

AdwCleaner[R0].txt - [26585 octets] - [02/11/2014 16:51:08]
AdwCleaner[R1].txt - [1566 octets] - [06/11/2014 18:54:23]
AdwCleaner[R2].txt - [2275 octets] - [08/11/2014 15:57:28]
AdwCleaner[R3].txt - [2599 octets] - [08/11/2014 16:47:37]
AdwCleaner[R4].txt - [1772 octets] - [10/11/2014 15:03:46]
AdwCleaner[R5].txt - [1830 octets] - [10/11/2014 15:04:58]
AdwCleaner[R6].txt - [2286 octets] - [21/11/2014 11:20:51]
AdwCleaner[R7].txt - [1997 octets] - [05/12/2014 16:27:50]
AdwCleaner[R8].txt - [4429 octets] - [27/12/2014 10:32:54]
AdwCleaner[s0].txt - [27235 octets] - [02/11/2014 16:52:51]
AdwCleaner[s1].txt - [1635 octets] - [06/11/2014 18:55:42]
AdwCleaner[s2].txt - [1952 octets] - [08/11/2014 16:00:42]
AdwCleaner[s3].txt - [2651 octets] - [08/11/2014 16:48:51]
AdwCleaner[s4].txt - [2201 octets] - [10/11/2014 15:05:35]
AdwCleaner[s5].txt - [2659 octets] - [21/11/2014 11:22:12]
AdwCleaner[s6].txt - [2218 octets] - [05/12/2014 16:31:04]
AdwCleaner[s7].txt - [4674 octets] - [27/12/2014 10:34:59]

########## EOF - C:\AdwCleaner\AdwCleaner[s7].txt - [4734 octets] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 7 Professional x64
Ran by ronweb1 on Sat 12/27/2014 at 10:44:13.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 12/27/2014 at 10:45:51.45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/27/2014
Scan Time: 10:48:52 AM
Logfile: MB log 2.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.27.06
Rootkit Database: v2014.12.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: ronweb1

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 542323
Time Elapsed: 5 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

Link to post
Share on other sites

MrC,

 

I went to Amazon and whenever I click on a product I get directed to www.readytwos.com, and the whole page says "phishing attack ahead"  has a button for details and then a "back to safety" button.

 

Also, after a few okay pages I did just get another redirect that has a pop-up, says my Java needs updating,

 

Ron

Link to post
Share on other sites

1. Download and run this tool (Software removal tool), immediately it will start searching for suspicious programs on your computer and then shows a message how many programs it found.

https://www.google.com/chrome/srt/

2. Click ‘Remove suspicious programs ‘and wait for the tool to show ‘removal complete’ message.

3. Click ‘Continue’ to quit the tool (you may be prompted to restart your computer, do so)

4. After that, Chrome will automatically open and asks to reset browser settings, click ‘Reset’.

MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.