Jump to content

HELP Search Engage: MWB, ADW, Avast but not fixed


Recommended Posts

I'm a MWB subscriber. 

All my browsers have been hijacked by Search Engage.

I downloaded a desktop time through cnet. It loaded adware/malware including 360 Security and Search Engage. (BTW: I was looking closely for opt-in to load any additional applications and there were none.)

Anyway, I couldn't find anything on Search Engage on MWB.com. I followed recommendations on fixyourbrowser which matched 2 other DIY sites. I ran ADWCleaner and deleted all files it identified as malicious. Then I ran mwb and deleted all identified files which were all PUPs. Then I ran Avast browser hijacker which identified and removed hijacking malware. I then relstarted my machine. When I opened Chrome, Search Engage browser opened. Same for IE.

Help!

Thanks in advance.

Thomas

Link to post
Share on other sites

Hello thsavage1 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system, continue as follows please:

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...
Link to post
Share on other sites

Kevin,

Thanks for your help. I've had a new development since I submitted this topic/issue.

Yesterday morning (5/26) after I started up my PC (from Off, not hibernation), PC no longer had issue with Search Engage hijack of my Chrome browser. The only thing I had done in between submitting topic and morning of 5/26 was to run Google Chrom Clean Up tool to reset the browser.

HOWEVER, a new pop-up emerged late Monday PM. It is a Windows product key verification request. I've attached screen capture of the pop up. It seemed suspicious since the logo in title bar was MSFT nor anything I recognized and the Support Helpline was a 844 number. I called MSFT support about the pop-up. They were worthless (as expected). Both the techs I spoke with just tried to get me to migrate to Windows 10 and didn't even address my questions about whether or not this is a legit pop up,  how I could determine if it was, or if the 844-651-8850 number was a legit MSFT support number. 

Anyway, I think this pop up is a scam. I googled PK verification scams and 844- support line scams and uncovered a lot of articles inidicating this is likely adware/malware scam.

I went ahead ran the scans you listed above and have attached the log files. One issue did occur. When I tried to run the MWB scan the first time after changing settings as you requested, MWB choked and failed to run the scan. It worked after I restarted my PC. I ran all 3 scans straight through after this last restart after MBW failed. 

I've uploaded the following 6 files

- RKill 04262016

- MWB_log_04262016

- FRST_log_04272016 

- FRST_log_04272016_no.2 (came from the single scan run)

- Screen capture: MWB fail

- Screen capture: MSFT Product Key verification pop-up window

I look forward to your reply on next steps.

Thanks very much for your patient help.

Regards,

Thomas

FRST_log04272016_Addition.txt

FRST_log04272016_no.2_Addition.txt

MWB_log_04262016.txt

Rkill_04262016.txt

MWB_fail_capture.png

Link to post
Share on other sites

P2P/Piracy Warning:

Please read the following link with regard to illegal software: https://forums.malwarebytes.org/topic/97700-piracy/

There is direct evidence of an illegal hack running on your system to defeat activation of software you have installed, that is a direct breach of forum protocol... I cannot offer any further help.

You can contact a forum moderator for further advice..

Thank you,

Kevin..
Link to post
Share on other sites

What? 

Kevin - I've not loaded any illegal software onto my PC to my knowledge. Can you point me to a tool or a reference page that can help me identify the illegal software?

The only software I've loaded in past 12 months that might be an issue is related to my kids' use of this PC such as apps for my 10yo programming classes or games we've bought such as Minecraft.

I've got to get this figured out. Where can I go to figure this out?

Thanks in advance for any help you can give me.

- Thomas

Link to post
Share on other sites

Thanks for the reply Thomas,

I`m a volunteer here at Malwarebytes, I am not staff. I too am bound by protocol regarding anything illegal that is found in produced logs, The only option you have is to contact a moderator or Admin staff member for advice and any possible way forward...

Kevin...

 

Link to post
Share on other sites

  • Root Admin

127.0.0.1 localhost127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net#
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.