Jump to content

Recommended Posts

Hi,

 

I use ESET NOD32, windows firewall and everyday I scan my pc with MalwareBytes free and Adwcleaner.Everyday I find on my pc "hijack.autoconfigURL".Everyday both Malwarebytes and Adwcleaner find it, clean it, and always the next day I find it on my pc.

 

Can you please help me get rid of it? I don't know what to do.

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". <---- Very Important
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...



Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.



Let me see those logs in your next reply...

Thank you,

Kevin...
 

Link to post
Share on other sites

Hi,

"hijack.autoconfigURL" found once again on my pc.I get the forum msg that my post is too long so both Addition and FRST logs are attached.Thank you for your help.

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 19/1/2016
Scan Time: 13:06
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.19.03
Rootkit Database: v2016.01.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Lampros

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 346288
Time Elapsed: 7 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 2
Hijack.AutoConfigURL, HKU\S-1-5-21-1729962092-428206039-1083671675-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/proxy.pac, Quarantined, [1f604dee3168eb4bfeff3f90e022a45c]
Hijack.AutoConfigURL, HKU\S-1-5-21-1729962092-428206039-1083671675-1003\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/proxy.pac, Quarantined, [ea9551ea821761d5bd407857ab57dd23]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

 

# AdwCleaner v5.030 - Logfile created 19/01/2016 at 13:30:06
# Updated 17/01/2016 by Xplode
# Database : 2016-01-17.3 [server]
# Operating system : Windows 10 Pro  (x64)
# Username : Lampros - DESKTOP-E3RU81D
# Running from : C:\Users\Lampros\Downloads\adwcleaner_5.030.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[s14].txt - [579 bytes] ##########
 

 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Next,

 

Download and Save McAfee Stinger to your Desktop from here:

http://downloadcenter.mcafee.com/products/mcafee-avert/Stinger/stinger32.exe

Read the Terms and Conditions, the download tab is at the bottom of the page.
Close all browsers before starting. Disable your antivirus program and anti-malware, if any.
To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs read here:

http://www.bleepingcomputer.com/forums/topic114351.html

On Windows 7, 8, 10 & Vista systems, Right Click on Stinger stinger.jpg and select Run as Administrator.
On XP, double-click to start it.
Click on “I Accept” tab at McAfee end user licence agreement.

Stinger%20a.png

In the new Window select “Advanced” then “Settings”

Stinger%20b.png

The settings window will open, make sure the settings are exactly as shown in the following image, then select “Save” <<------Very Important

Stinger%20c.png

In the new window Click the “Customize my Scan” under the “Scan” button.

Stinger%20f.png

In the new Window select C:\ drive and any other listed Hard Drive, then select “Scan”

Stinger%20g.png

When the scan completes select the “View log” to do that, select “Notepad” if offered in list of choices.

If the log opens in your browser, copy and save to  a file....

I will need a copy of that log.
 

Let me see those logs in your reply...  Also let me know if any remaining issues or concerns..

 

Thank you,

 

Kevin..

 

 

 

Fixlist.txt

Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 10 Pro x64
Ran by Lampros (Administrator) on ’¨  19/01/2016 at 19:38:11,18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0


Deleted the following from C:\Users\Lampros\AppData\Roaming\Mozilla\Firefox\Profiles\cer220xl.default\prefs.js
user_pref(browser.urlbar.suggest.searches, true);



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on ’¨  19/01/2016 at 19:39:10,51
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


McAfee® Labs Stinger™ Version 12.1.0.1860 built on Jan 19 2016 at 13:16:52
Copyright© 2015, McAfee, Inc. All Rights Reserved.

AV Engine version v5800.7501 for Windows.
Virus data file v1000.0 created on Jan 19, 2016
Ready to scan for 9716 viruses, trojans and variants.

Custom scan initiated on Τρίτη, Ιανουάριος 19, 2016 19:45:38


Rootkit scan result : Not Scanned.



Summary Report on C:
D:
E:
F:
G:
H:
I:
File(s)
    TotalFiles:............    493682
    Clean:.................    370198
    Not Scanned:........... 123484
    Possibly Infected:.....    0

Time: 00:57:31

Scan completed on Τρίτη, Ιανουάριος 19, 2016 20:43:09

 

Fixlog.txt

Link to post
Share on other sites

Ok let me know how your system responds after that time.... before then can you open an elevated command prompt, select Windows Key and X key together, from the list select command prompt (admin)

 

Copy and paste the following command at the prompt

 

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s > 0 & notepad 0

Select enter...

The tasklist will open in notepad, copy or attach to your reply....

Link to post
Share on other sites

I did another scan today and everything seems to be amazingly well!!!!Thank you, I was in despair and ready to format my pc.I know this is too much to ask but I am really curious how I got it.I am always very careful when I am browsing on the net ......Anyway, thank you, thank you very very much for your help :)

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 20/1/2016
Scan Time: 18:48
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.20.04
Rootkit Database: v2016.01.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Lampros

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 342491
Time Elapsed: 8 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

It really difficult to say how your system became exploited, could be Browser Hijacker, poisoned website, drive by downloader, bundled exploiter on free software, exploited links in emails etc etc.....

 

If no issues or concerns we can clean up:

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…
 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif
 

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.