Jump to content

Recurring Malware: Unideals, browser redirections/extentions, random text turning into hyperlinks.


Recommended Posts

Hello there. For the last several months I've been trying to deal with an infection on my computer. I've run many different scanners in attempts to fix it with varying success. The main browser that I use is Chrome, and I've had insane browser redirections, I've had random selections of text become hyperlinks in an attempt to redirect me, my homepage switch on me. My computer has been running programs a lot slower than it used to, and sitting on my desktop with IE with this forum open, Steam (not downloading anything), and Avast running, my computer is using 3 gigs of RAM, out of my available 8, which seems outrageous.

Now, various scanners and virus software can usually remove these issues temporarily, and I've been doing this the last several months, but the issue always resurfaces, and it's getting extremely frustrating. I'm not currently getting browser redirects or unwanted extensions, or hyperlinks and homepage changes, but now my Google Chrome completely does not work. I'm on Windows 7, and clicking Chrome on my taskbar makes it appear as if it's open, then it closes a moment later, with no actual "Chrome" window actually opening up. Due to this, I'm stuck using Internet Explorer, which is frequently crashing while searching Google, or closing webpages. Very "light" tasks.

I also seem to be unable to factory reset my router, or mess with the settings, and after looking into it online I've read that this can be due to malware as well. I usually have many of my ports forwarded so I can host game servers, and I have been unable to host anything recently due to being unable to modify my settings.

A virus scanner called Hitman Pro seems to reveal threats that MalwareBytes does not, however because I expired my "trial" last year, it will not delete them for me, and because the threats are in the registry, I do not want to go deleting things without consulting some experts.

My unprofessional opinion is that I've got some undetected virus that is installing malicious software, as the past several months, I've been trying to practice safe browsing/installing as best I can. (Custom installing any free software, etc.)

Sorry for jumping around a bit between issues, I'm just trying to provide as much information as I can! Hopefully we can get to the bottom of this!

I appreciate any assistance you guys can give me, I have downloaded Farbar, and attached FRST and Addition, as well as a screenshot of what Hitman Pro currently detects with it's location in the registry.

FRST.txt

Addition.txt

post-199258-0-85148300-1454881823_thumb.

Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll try to help your with your issue.
 
     
    
Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 



If you take a better look at HitmanPro, you will see No threats found. That means these are only some harmless traces and cookies, so regarding this there is no need to worry.
 
Regarding my assistance, I spotted you have some pirated content. If you want my help, you need to remove pirated content from your PC.

 


Link to post
Share on other sites

I am currently in the process of removing some files from my computer. As a note, I had my P2P software, Tixati "Completely disabled", though have now removed it.  I'll provide you with a new Farbar scan once the rest of these files are completely removed from my computer.

--- --- --- --- ---

I did see the "no threats found" on Hitman Pro, but was confused as I know that Unideals has been on my system before, and is unwanted software.  I have in the last week, I have run CCleaner, and had Malwarebytes remove some threats, I suppose Hitman could be detecting leftover files?  But why would there still be Unideals in HKU/Software/DEFAULT?  I certainly want no traces of that on my machine.

Link to post
Share on other sites

FRST.gif FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

  • Copy {12DA0E6F-5543-440C-BAA2-28BF01070AFA} into the Search: field in FRST then click the Search Registry button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.
Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

Link to post
Share on other sites

I don't really notice a difference.  Google Chrome still will not actually launch, though I have not tried a reinstall because I figured Chrome not working was a symptom of the infection and might be fixed before resorting to an uninstall. 

My router is still messed up, clearly.  Because looking at my public IP with Google gives me this instead of a normal IP: 2001:569:bd52:8600:5d6a:f501:353:845a

I have no idea what that means, but I know it's not a regular IP.  I can try resetting my router again, but I'm pretty sure it just will not work, like last time I tried.
 

Link to post
Share on other sites

Okay, then let's try to uninstall Chrome:

 

 

Uninstall Chrome
 
Export your bookmarks
 
 
Close all Chrome windows and tabs.
Go to the Start menu > Control Panel.
Click Programs and Features.
Double-click Google Chrome.
Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete your browsing data" checkbox.
 
 
Click Start, copy in search %LOCALAPPDATA%\ and remove folder Google
 
Download Chrome
 

 
 
What is your router model?
Link to post
Share on other sites

It's a D-Link Wireless N300 Router // DIR-605L

 

Export bookmarks from Chrome
  1. Open Chrome.
  2. In the top right, click the Menu .
  3. Select Bookmarks > Bookmark Manager.
  4. In the manager, click the "Organize" menu.
  5. Select Export bookmarks.

Chrome will export your bookmarks as an HTML file, which you can then import into another browser.

 

 

I am unable to do step 1.
 

Link to post
Share on other sites

With a bit of research, I realized the IP I'm being shown is an IPv6.  I have no idea why my router is giving my computer one of those, instead of the regular IPv4 that I used to get.  This all came up when when the malware popped up, and when MalwareBytes got rid of it, my settings remained like this.  Any idea of how to get my IP back to normal, and access my router settings?

Link to post
Share on other sites

Looking up my Public IP used to give me something like 147.214.1.97" But now when I look up my IP, the result is this:


And I have no idea how to make it normal again.  Last time I reset my router, nothing happened, an I could not access it. My thought, was that I was infected with malware, and when I reset my router, it gave it the default "admin" username, and default password, which a script guessed, then changed and messed with my settings.

post-199258-0-88899900-1455212439_thumb.

Link to post
Share on other sites

Yes, that is a IPv6 format.
 
 
FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

Alright, well the only thing that showed up was "Realtek PCIe GBE Family Controller".  It's settings are like you recommend, but the name of that device does not ring a bell.  My Router is a D-Link, and that Realtek Controller was the only thing on the list.  I'm guessing it's right, and just a computer component or something.  But I thought my confusion was worth mentioning.

It is/was set to automatically obtain IP and DNS automatically.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.