Jurionx Posted May 11, 2016 Author ID:1039157 Share Posted May 11, 2016 My MTB file as attached. I have tried my best to remove the services you mentioned through AutoRuns. However, some files are not found, is that gonna be an issue? MTB.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 11, 2016 Root Admin ID:1039164 Share Posted May 11, 2016 No I can help you to remove any of those left over services if they're still there. Were you able to reset your browsers? Please restart the computer one more time. Then run a new FRST scan and make sure to place a check mark in the Additions check box and post back both new logs and we'll see what we have now and go from there. Do you have a strong password on your wireless router? Did you set it up? Link to post Share on other sites More sharing options...
Jurionx Posted May 11, 2016 Author ID:1039171 Share Posted May 11, 2016 Yep my browsers have all been reset. The wireless router password were set up by me, and the password is sufficiently strong. Do you think it could be the router? My other computers run fine though. As of now, even though the malware is supposedly running, it does not seem to have any effect on my proxy settings anymore. But I would prefer a permanent removal and solution. Thanks for all the help so far! Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 11, 2016 Root Admin ID:1039180 Share Posted May 11, 2016 No I don't think the router is involved, just wanted to make sure you had a strong password on it and not a default password. You should be good there. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt After that then please do a clean removal and reinstall of MBAM. The scheduler piece is having an issue running correctly and the clean removal and reinstall may correct it. Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x Then after the reinstall please reboot the computer one more time and run the following scan for me. Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware. Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply. Link to post Share on other sites More sharing options...
Jurionx Posted May 11, 2016 Author ID:1039197 Share Posted May 11, 2016 Here you go Ron. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/5/2016 Scan Time: 3:55 PM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.05.11.01 Rootkit Database: v2016.05.06.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 10 CPU: x64 File System: NTFS User: Junhao Scan Type: Threat Scan Result: Completed Objects Scanned: 357621 Time Elapsed: 9 min, 44 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 11, 2016 Root Admin ID:1039224 Share Posted May 11, 2016 Please restart the computer again now and let me know if you're getting the redirect anymore or not. Thanks Link to post Share on other sites More sharing options...
Jurionx Posted May 11, 2016 Author ID:1039302 Share Posted May 11, 2016 So far no more annoying redirects, and the proxy autoconfig is missing from the registry. Seems like it's finally done! Link to post Share on other sites More sharing options...
Jurionx Posted May 11, 2016 Author ID:1039313 Share Posted May 11, 2016 I was happy too early, I just saw something akin to command prompt running for a second, and then disappearing. The hijack proxy settings are back Link to post Share on other sites More sharing options...
Jurionx Posted May 11, 2016 Author ID:1039316 Share Posted May 11, 2016 Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 12/5/2016 Scan Time: 2:02 AM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.05.11.05 Rootkit Database: v2016.05.06.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 10 CPU: x64 File System: NTFS User: Junhao Scan Type: Threat Scan Result: Completed Objects Scanned: 358148 Time Elapsed: 10 min, 47 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/server.pac, Quarantined, [673a379d6e2ba2949d2f5081d82b4eb2] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 12, 2016 Root Admin ID:1039377 Share Posted May 12, 2016 It should have created a log file. Can you post back the log file please. Have you rebooted a couple of times to verify it's still gone? Thanks Link to post Share on other sites More sharing options...
Jurionx Posted May 12, 2016 Author ID:1039417 Share Posted May 12, 2016 here's the log scan.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 12, 2016 Root Admin ID:1039442 Share Posted May 12, 2016 Please download the correct version of SystemLook for your computer and save it to your desktop. You can check here if you're not sure if your computer is 32-bit or 64-bit SystemLook 32-bit x86 | or | SystemLook 64-bit x64 If using Windows XP just double click on SystemLook.exe to run it. For all other versions of Windows, right click over SystemLook.exe or SystemLook_x64.exe and choose Run as administrator to run it Copy the contents of the following code box into the main text field - including the colon characters. :filefind *.pac settings.ini *wpad* :regfind wpad proxy.pac wpad.com wscript.exe Click the Look button to start the scan When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop named SystemLook.txt Then let me also get new FRST logs. Please make sure to place a check mark in the Additions check box. Thanks Link to post Share on other sites More sharing options...
Jurionx Posted May 12, 2016 Author ID:1039444 Share Posted May 12, 2016 Here you go! SystemLook.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 12, 2016 Root Admin ID:1039454 Share Posted May 12, 2016 Please open REGEDIT and browse to the following location. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings Do you have an entry for "AutoConfigURL" Restart the computer a couple times and recheck if it comes back or not. Link to post Share on other sites More sharing options...
Jurionx Posted May 12, 2016 Author ID:1039493 Share Posted May 12, 2016 After restarting 5 times, no sign of the autoconfigurl. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 13, 2016 Root Admin ID:1039612 Share Posted May 13, 2016 Great, looks like we finally got rid of it for good. I'll go ahead and provide you with a closing speech. If it does come back though please let me know. At this time there are no more signs of an infection on your system.However if you are still seeing any signs of an infection please let me know. Let's go ahead and remove the tools and logs we've used during this process. Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time. They are often updated daily so if you went to use them again in the future they would be outdated anyways. The following procedures will implement some cleanup procedures to remove these tools. Download Delfix from here and save it to your desktop. (you may already have this) Ensure Remove disinfection tools is checked. Click the Run button. Reboot Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete) IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall. If there are any other left over Folders, Files, Logs then you can delete them on your own. Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.How to Delete System Protection Restore Points in Windows 7 and Windows 8 Remove all but the most recent Restore Point on Windows XP As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsersHow do I disable Java in my web browser? - Disable Java A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data. Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor. How Malware Spreads - How did I get infected Best Practices for Safe Computing - Prevention of Malware Infection Avoiding those unwanted free applications A close look at how Oracle installs deceptive software with Java updates IAC / Ask.com toolbars Malwarebytes Unpacked Blog If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection. Link to post Share on other sites More sharing options...
Jurionx Posted May 13, 2016 Author ID:1039620 Share Posted May 13, 2016 It just happened again. I managed to see the application running the command prompt. it's nslookup.exe. The hijack is back Link to post Share on other sites More sharing options...
Jurionx Posted May 13, 2016 Author ID:1039623 Share Posted May 13, 2016 Here's the latest MBAM scan, it helped remove the registry values. But I need to find the source of this. Thank for everything so far Ron, your aid is perfect. scan.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 13, 2016 Root Admin ID:1039633 Share Posted May 13, 2016 This almost has to be some type of browser add-on, toolbar, redirect, etc. What browser or what application were you running just before you saw this happen? Getting late for me so I'll have to check back sometime tomorrow. Let's go ahead and do a Full Scan with MBAM. Please open MBAM and go to SCAN, Custom Scan, Configure Scan. Make sure all 4 scanning options are selected. Then place a check mark in the top of your C: drive to have it scan all files of the drive. Then click the Scan Now button and let it run. As it will now scan even zip files, and all files the scan can take a very long time but hopefully it will find something to help us track this down. Thanks Link to post Share on other sites More sharing options...
Jurionx Posted May 13, 2016 Author ID:1039665 Share Posted May 13, 2016 I was running Chrome. Will reply with the scan results Link to post Share on other sites More sharing options...
Jurionx Posted May 13, 2016 Author ID:1039727 Share Posted May 13, 2016 here Custom Scan.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 14, 2016 Root Admin ID:1039804 Share Posted May 14, 2016 For the time being can you please do the clean up of Chrome and then fully uninstall Chrome. Make sure you export any bookmarks you want to keep. Then run the computer for a couple of days without Chrome using either IE or Firefox and let me know if this comes back. Link to post Share on other sites More sharing options...
Jurionx Posted May 15, 2016 Author ID:1040070 Share Posted May 15, 2016 I have been using Firefox, sadly, the malware comes back. here's the latest MBAM scan. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 15/5/2016 Scan Time: 11:57 PM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.05.15.04 Rootkit Database: v2016.05.06.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 10 CPU: x64 File System: NTFS User: Junhao Scan Type: Threat Scan Result: Completed Objects Scanned: 359763 Time Elapsed: 17 min, 36 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 2 Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/server.pac, Quarantined, [6ac6f8de9bfe55e16c45b3220bf8da26] Hijack.AutoConfigURL.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/server.pac, Quarantined, [74bc6571ebae05319819785d2dd6df21] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 15, 2016 Root Admin ID:1040111 Share Posted May 15, 2016 Okay there are a couple of ways we can track this down. One is quite a bit more complex so let's try an easier way first. Please download and install WinPatrol (they should have a fee version) http://www.winpatrol.com/startup.html Then have it monitor your startup (typically does this by default) then make sure the auto config entry has been removed. Then let WinPatrol monitor it. As soon as a process tries to add it back then WinPatrol should alert and tell you what process is trying to add it back. Please let me know what it says when it tries to come back. Link to post Share on other sites More sharing options...
Jurionx Posted May 16, 2016 Author ID:1040115 Share Posted May 16, 2016 I'll run WinPatrol throughout the day and see if anything comes up. The AutoConfig was removed since my last MBAM scan. Thanks Ron. Link to post Share on other sites More sharing options...
Recommended Posts