Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Browswer redirect to the point of crashing


Recommended Posts

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...


Next,

Is the following IP address known to you and trusted?

IP Information for 82.163.142.173
Quick Stats
IP Location     Israel Israel Tel Aviv Xglobe Online Ltd
ASN     Israel AS204078 GREENTEAM Green Team Internet LTD (registered Sep 02, 2015)
Whois Server     whois.ripe.net
IP Address     82.163.142.173

Next,

Please open Malwarebytes Anti-Malware.


  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:


  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:   Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Xplode onto your Desktop.


  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt  under "Optional scan" Select scan, when done post the new logs....


Let me see those logs, also give an update on any remaining issues or concerns...

 

Thank you,

Kevin

 

Link to post
Share on other sites

I do not believe I have any peer to peer software in place. Is Steam or my Transporter (which I use for work) peer to peer?

I am not familiar with the IP you identified

I ran the scan here is the log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/22/2016
Scan Time: 7:28 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.03.22.04
Rootkit Database: v2016.03.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: nwelt

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369809
Time Elapsed: 10 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 4
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{3137aec5-6122-48cb-bcec-85d23e778552}|NameServer, 82.163.143.171 82.163.142.173, Quarantined, [26a6e5a58019231328282a59a85cb34d]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{4dd86ec0-645e-4e30-a8a0-fcab287cecb2}|NameServer, 82.163.143.171 82.163.142.173, Quarantined, [4e7e5436debb0c2af25e98eb57ad16ea]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9b427a57-6ddc-497f-a1b9-ef20d3b14336}|NameServer, 82.163.143.171 82.163.142.173, Quarantined, [9636e8a2108993a3b29e7112f410d12f]
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{e761277d-1407-4fb8-8786-55404756413f}|NameServer, 82.163.143.171 82.163.142.173, Quarantined, [af1d058525748fa780d03d466b9916ea]

Registry Data: 1
Trojan.DNSChanger.DNSRst, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, 82.163.143.171 82.163.142.173, Good: (8.8.8.8), Bad: (82.163.143.171 82.163.142.173),Replaced,[507c9eeca5f48ea8797dd152838242be]

Folders: 0
(No malicious items detected)

Files: 1
Adware.Adposhel, C:\ProgramData\383b815a\3d028666.dll, Delete-on-Reboot, [95371d6dbddc181ed0f7c8d7cc36d030],

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

Here is the adwcleaner log:

# AdwCleaner v5.105 - Logfile created 23/03/2016 at 00:23:10
# Updated 21/03/2016 by Xplode
# Database : 2016-03-22.2 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : nwelt - DESKTOP-J406FIB
# Running from : C:\Users\nwelt\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\383b815a
[-] Folder Deleted : C:\Users\nwelt\REACHit

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [779 bytes] - [23/03/2016 00:23:10]
C:\AdwCleaner\AdwCleaner[S1].txt - [828 bytes] - [23/03/2016 00:21:58]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [923 bytes] ##########

 

FRST logs are attached.

 

Not aware of other issues as the machine as been out of use today.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

There was no direct accustaion that you have any P2P applications on your system, the point was only to make you aware of Forum Protocol. That information is included in all opening replies, there is no other reason for that information...

As can be see from the Malwarebytes log the IP address in question was part of DNSChanger infection and has been removed.. There is however remnants that will be removed with FRST....

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:


If using Mozilla Firefox or Google Chrome:

To perform the scan:


  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.

  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable protection software!

Let me see those logs, also give an update on any remaining issues or concerns...

Thank you,

Kevin...

 

 

Fixlist.txt

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=4dd3647f7b673e4a8c23b5870262f59a
# end=init
# utc_time=2016-03-24 04:39:46
# local_time=2016-03-23 11:39:46 (-0600, Central Daylight Time)
# country="United States"
# osver=6.2.9200 NT
Update Init
Update Download
Update Finalize
Updated modules version: 28730
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=4dd3647f7b673e4a8c23b5870262f59a
# end=updated
# utc_time=2016-03-24 04:43:24
# local_time=2016-03-23 11:43:24 (-0600, Central Daylight Time)
# country="United States"
# osver=6.2.9200 NT
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=4dd3647f7b673e4a8c23b5870262f59a
# engine=28730
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2016-03-24 08:00:45
# local_time=2016-03-24 03:00:45 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 21402057 0 0
# scanned=325448
# found=0
# cleaned=0
# scan_time=55040

 

Fixlog.txt

Link to post
Share on other sites

Thanks for those logs, FRST has removed remaining dnschanger remnants and some clutter. ESET returns a clean log.... If no remaining issues or concerns run the following to clean up:

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:


  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif

 

 

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.