Jump to content

Webpages popping up once opening another.


Recommended Posts

Hello! I've just made an account so that I can report this malicious problem. Whenever I would open a new webpage or a new task, and then proceed to interact with said webpage, the browser (in this case being Google Chrome) suddenly creates a new tab and redirects itself into an ad-filled, basically unwanted website. At least that's the gist of it.

I've installed MalwareBytes and have run a full computer scan, even completing the removal process by restarting but the problem still exists. Running another scan, I found out the culprit suspected to be this "Hijack.AutoConfigURL.PrxySvrRST".

As soon as possible, I would be looking forward to cooperating closely with an expert with this issue. It really is a bugger. Although this can be quarantined by the anti-malware, it is only temporary as it seems to come back upon restarting.

I have included the log of the most previous scan, of which I have learnt that the malware comes back upon restarting. Thank you in advance.

____________________________________________________

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 16-Jun-16
Scan Time: 11:51 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.16.04
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: HUOR SAN CENTER 3

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 301193
Time Elapsed: 13 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Hijack.AutoConfigURL.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, 0http://un-stop.info/wpad.dat?f5675b0c0ba45e094f03f44902d52a7a11699604, Quarantined, [ebb912ebf0a9d16501d05669e81abc44]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

________________________________________________

Link to post
Share on other sites

  • Staff

Hello and welcome to the Malwarebytes forum.

Please run the following:

Please download the appropriate version of Farbar Recovery Scan Tool  (FRST.exe) from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

 

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it.

  • Press Scan button.

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Link to post
Share on other sites

Here are the logs. I have also discovered some suspicious activity. One of which is being that when I navigate through windows explorer and create a new folder, the program attempts to open up a program that has been selected by the cursor. Another, more dangerous one, is that the laptop fails to fully boot at every two startups. May this be related to my current issue? I look forward to your reply.

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Staff

Do you recall which program and where it resided?

There is a hidden program on the system

bl (x32 Version: 1.0.0 - Your Company Name) Hidden

I am going to unhide it with the FRST script > once the script is done see if you can find that program and let me know what it is.

Please do the following:

Download attached fixlist.txt file and save it to the Downloads folder where FRST64.exe is saved

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Fixlist.txt

 

Link to post
Share on other sites

Unfortunately I am unable to search for " bl (x32 Version: 1.0.0 - Your Company Name) Hidden ". Please, excuse my lack of technical expertise. However, I have followed your instructions and here is the log. I think I described the Windows Explorer 'bug' incorrectly. When you single-click an installation .exe file and then create a new folder, the Explorer first attempts to open the installation file, causing the windows security-administration-request prompt to appear. Might have been a bug after all, but I am using a WIN 7 OS for quite some time now and this seems suspicious.

Fixlog.txt

Link to post
Share on other sites

  • Staff

Fixlist.txt

Please do this

Download attached fixlist.txt file and save it to the Downloads folder where FRST64.exe is saved

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Link to post
Share on other sites

Yeah, I suppose it is a UAC prompt; just didn't know what it's called technically.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 18-Jun-16
Scan Time: 9:11 AM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.17.07
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: HUOR SAN CENTER 3

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302728
Time Elapsed: 18 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

uacPrompt.png

Link to post
Share on other sites

  • Staff

Hello

Yes, that's a normal security warning when the program you are trying to run doesn't have a verified digital certificate. (It's a little different from the UAC prompt)

In this case it's the vlc setup file, as long as you are certain of the source, then that's ok to run

there is is small box you can uncheck if you don't want it asking you all the time.

see here fir more information about this.

http://www.sevenforums.com/tutorials/182353-open-file-security-warning-enable-disable.html

How is the PC behaving now, are there any outstanding issues?

 

 

Link to post
Share on other sites

The suspicious and ultimately awkward thing about it is that I clicked create folder and it proceeded to prompt the UAC, after denying access, it then creates a folder. It may be let down easily as a bug by Mircosoft, but I'm a little skeptical about it.

EDIT: So far, no issues involving booting and using the browser. Thank you so much.

Edited by waltervan00
Link to post
Share on other sites

  • Staff

Ok, it might just be a glitch.

Let's run the following:

Download AdwCleaner from  here and save it to your desktop.

  • Run AdwCleaner

  • Click the "Options" menu heading on the menu bar and uncheck "Reset Winsock Settings"

  • Now select Scan

  • If items are found, please select the Cleaning button

  • Once done it will ask to reboot, allow the reboot

  • On reboot a log will be produced, please attach the content of the log to your next reply

Link to post
Share on other sites

Before I command the program to clean. Here is the log file. I feel that I need the good to go before I continue to remove all these selected files as some are related to my antivirus and also because the issue related to my web surfing is virtually resolved. If you spot any adware or unwanted assets then please tell me and I'll remove them. As for the glitch, is there really nothing I can do about it?

AdwCleaner[S1].txt

Link to post
Share on other sites

  • Staff

all of those AVG references are the bloatware add ons that you don't need such as search engines and toolbars.

Removing those items does not affect the actual AVG antivirus at all.

Unless you use and like the tools bars etc. , then it's ok to remove everything listed, it's up to you.

Do you see the same behaviour with the security warning in all the browsers?

Did you uncheck the box for how to disable?

http://www.sevenforums.com/tutorials/182353-open-file-security-warning-enable-disable.html

 

 

 

 

Link to post
Share on other sites

These UAC (security prompts) are from the usual file management program found in the Windows OS, not internet browsers whatsoever. To be frank I'll just lay it of as a glitch and have to deal with it. I'd prefer to keep the warnings coming so I don't accidentally initiate an installation, but thank you for you advice. And yes, I will be removing the files detected by AdwCleaner so will there be anything else I'll be doing?

Link to post
Share on other sites

Here's a log for reference.

# AdwCleaner v5.200 - Logfile created 20/06/2016 at 18:33:06
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-20.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (X64)
# Username : HUOR SAN CENTER 3 - HUORSANCENTER3
# Running from : C:\Users\HUOR SAN CENTER 3\Downloads\AdwCleaner\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : WtuSystemSupport
[-] Service Deleted : vToolbarUpdater40.3.1

***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\AVG Secure Search
[-] Folder Deleted : C:\ProgramData\AVG Security Toolbar
[-] Folder Deleted : C:\ProgramData\avg web tuneup
[#] Folder Deleted : C:\ProgramData\Application Data\AVG Secure Search
[#] Folder Deleted : C:\ProgramData\Application Data\AVG Security Toolbar
[#] Folder Deleted : C:\ProgramData\Application Data\avg web tuneup
[-] Folder Deleted : C:\Program Files (x86)\avg web tuneup
[-] Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
[-] Folder Deleted : C:\Users\HUOR SAN CENTER 3\AppData\Local\avg web tuneup
[-] Folder Deleted : C:\Program Files\Common Files\AVG Secure Search

***** [ Files ] *****

[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\components\AskSearch.js

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
[-] Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
[-] Key Deleted : HKLM\SOFTWARE\Classes\s
[-] Key Deleted : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
[-] Key Deleted : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.GenericWnd.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj
[-] Key Deleted : HKLM\SOFTWARE\Classes\WtuServer.WtuServerObj.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4BC8AD89-AC5F-4DBD-A38F-C355C7DD33D7}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B0DE3308-5D5A-470D-81B9-634FC078393B}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKCU\Software\AppDataLow\Software\WinToFlash Suggestor
[-] Key Deleted : HKLM\SOFTWARE\AVG Tuneup
[-] Key Deleted : HKLM\SOFTWARE\SrpnFiles
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data Restored : HKU\S-1-5-21-116893555-3398319076-3125001844-1000\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Data Restored : HKU\S-1-5-21-116893555-3398319076-3125001844-1000\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\mysearch.avg.com
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [ Web browsers ] *****

[-] [C:\Users\HUOR SAN CENTER 3\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\HUOR SAN CENTER 3\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\HUOR SAN CENTER 3\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : search.yahoo.com
[-] [C:\Users\HUOR SAN CENTER 3\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : free-media-converter.en.softonic.com

*************************

:: "Tracing" keys deleted

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [5573 bytes] - [20/06/2016 18:33:06]
C:\AdwCleaner\AdwCleaner[S1].txt - [5654 bytes] - [19/06/2016 08:24:08]
C:\AdwCleaner\AdwCleaner[S2].txt - [6241 bytes] - [20/06/2016 18:27:45]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [5792 bytes] ##########
 

Link to post
Share on other sites

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 21-Jun-16
Scan Time: 5:15 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.21.03
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: HUOR SAN CENTER 3

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302281
Time Elapsed: 19 min, 53 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Is this a hurrah?

Link to post
Share on other sites

  • Staff

Looks good.

At this time there are no more signs of any infection on your system.

However if you are still having issues please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
AdwCleaner > just run the program and click uninstall.

If there are any other left over Folders, Files, Logs you can delete them.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Link to post
Share on other sites

  • 5 months later...
  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.