Chrome browser opens to Index

[kevinf80]

Yes repair is OK, all that means is a specific entry is repaired instead of removal. The hosts file is a prime example. Hosts is returned to default setting instead of outright removal

[kevinf80]

Post the Zemana log when it completes, also give an update on any remaining issues or concerns.....

[parydairy]

Here's the Zemana log:

 

Zemana AntiMalware 2.21.2.139 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/7/1
Operating System       : Windows 10 64-bit
Processor              : 4X AMD A10-6700 APU with Radeon(tm) HD Graphics
BIOS Mode              : Legacy
CUID                   : 1243C3A715EC124CE35B70
Scan Type              : Smart Scan
Duration               : 9m 40s
Scanned Objects        : 116558
Detected Objects       : 8
Excluded Objects       : 0
Read Level             : Normal
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Internet Explorer Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Shortcut

Internet Explorer Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Shortcut

Internet Explorer Search
Status             : Scanned
Object             : Search The Web (buenosearch) - http://buenosearch.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Search

Chrome Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut

Chrome Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut

Chrome Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut

Chrome Shortcut
Status             : Scanned
Object             : "
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut

Hosts File
Status             : Scanned
Object             : %systemroot%\system32\drivers\etc\hosts
MD5                : 243C0898B4676FBCE7A885E540CB33E8
Publisher          : -
Size               : 1068
Version            : -
Detection          : Hosts Hijack
Cleaning Action    : Repair
Related Objects    :
                Hosts file - Too many empty lines in Hosts file
                File - %systemroot%\system32\drivers\etc\hosts

Cleaning Result
-------------------------------------------------------
Cleaned               : 8
Reported as safe      : 0
Failed                : 0
 

[kevinf80]

What is the current status of your system, do you have any remaining issues or concerns....?

[parydairy]

It seems that the issue has been fixed! My browser no longer opens to Index and now opens to Google!

Do I still have to download and run AdwCleaner and Sophos?

[kevinf80]

Yes please, i`d like to make sure we have a difinite fix of your system. The infection that was present on your system is usually fixed with FRST in the first fix run, your case turned out to be different, just to be sure continue with AdwCleaner and Sophos, post the produced logs and give an update on system status....

[parydairy]

The Sophos one is taking a while to finish, but here is the AdwCleaner log:

 

# AdwCleaner v5.201 - Logfile created 01/07/2016 at 16:11:48
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-01.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Captain Shrek-it - CAPTAINSHREK-IT
# Running from : C:\Users\Captain Shrek-it\Desktop\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\WINDOWS\cSysSecure1.0.0.5
[-] Folder Deleted : C:\Users\Captain Shrek-it\AppData\Roaming\Systweak
[-] Folder Deleted : C:\Users\Captain Shrek-it\AppData\Roaming\YourFileDownloader

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

[-] Task Deleted : YourFile DownloaderUpdate

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BAB04997-93AD-4C13-805A-0409199700BB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKCU\Software\USyndication
[-] Key Deleted : HKCU\Software\usyndication.com
[-] Key Deleted : HKCU\Software\YourFileDownloader
[-] Key Deleted : HKCU\Software\MICROSOFT\OTUT
[-] Key Deleted : HKCU\Software\systweak
[-] Key Deleted : HKCU\Software\INSTALLPATH\STATUS
[-] Key Deleted : HKLM\SOFTWARE\YourFileDownloader
[-] Key Deleted : HKLM\SOFTWARE\systweak
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetStream 1.0
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{2B7D2293-F53D-4D14-93E0-90035631F71B}]
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mpc.am
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\search.mpc.am
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mpc.am
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\search.mpc.am
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SYSSECURE

***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2808 bytes] - [01/07/2016 16:11:48]
C:\AdwCleaner\AdwCleaner[S1].txt - [6874 bytes] - [01/07/2016 13:41:06]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2954 bytes] ##########
 

[parydairy]

The Sophos one is taking a while to finish, but here is the AdwCleaner log:

 

# AdwCleaner v5.201 - Logfile created 01/07/2016 at 16:11:48
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-01.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Captain Shrek-it - CAPTAINSHREK-IT
# Running from : C:\Users\Captain Shrek-it\Desktop\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\WINDOWS\cSysSecure1.0.0.5
[-] Folder Deleted : C:\Users\Captain Shrek-it\AppData\Roaming\Systweak
[-] Folder Deleted : C:\Users\Captain Shrek-it\AppData\Roaming\YourFileDownloader

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

[-] Task Deleted : YourFile DownloaderUpdate

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BAB04997-93AD-4C13-805A-0409199700BB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKCU\Software\USyndication
[-] Key Deleted : HKCU\Software\usyndication.com
[-] Key Deleted : HKCU\Software\YourFileDownloader
[-] Key Deleted : HKCU\Software\MICROSOFT\OTUT
[-] Key Deleted : HKCU\Software\systweak
[-] Key Deleted : HKCU\Software\INSTALLPATH\STATUS
[-] Key Deleted : HKLM\SOFTWARE\YourFileDownloader
[-] Key Deleted : HKLM\SOFTWARE\systweak
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetStream 1.0
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{2B7D2293-F53D-4D14-93E0-90035631F71B}]
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mpc.am
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\search.mpc.am
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mpc.am
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\search.mpc.am
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SYSSECURE

***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2808 bytes] - [01/07/2016 16:11:48]
C:\AdwCleaner\AdwCleaner[S1].txt - [6874 bytes] - [01/07/2016 13:41:06]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2954 bytes] ##########
 

[parydairy]

And then here is the log for Sophos. Starting clean up now.

 

2016-07-01 23:20:25.053    Sophos Virus Removal Tool version 2.5.5
2016-07-01 23:20:25.053    Copyright (c) 2009-2014 Sophos Limited. All rights reserved.

2016-07-01 23:20:25.053    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-07-01 23:20:25.053    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2016-07-01 23:20:25.054    Checking for updates...
2016-07-01 23:20:25.077    Update progress: proxy server not available
2016-07-01 23:20:32.131    Downloading updates...
2016-07-01 23:20:32.132    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0 
2016-07-01 23:20:32.142    Update progress: [I49502] Found supplement SAVIW32 LATEST 
2016-07-01 23:20:32.142    Update progress: [I49502] Found supplement IDE527 LATEST 
2016-07-01 23:20:32.142    Update progress: [I49502] Found supplement IDE528 LATEST 
2016-07-01 23:20:32.142    Update progress: [I49502] Found supplement IDE529 LATEST 
2016-07-01 23:20:32.142    Update progress: [I49502] Found supplement IDE530 LATEST 
2016-07-01 23:20:32.142    Update progress: [I49502] Found supplement IDE531 LATEST 
2016-07-01 23:20:32.142    Update progress: [I49502] Found supplement IDE532 LATEST 
2016-07-01 23:20:32.142    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-07-01 23:20:32.143    Update progress: [I19463] Syncing product SAVIW32 70
2016-07-01 23:20:38.048    Update progress: [I19463] Syncing product IDE527 142
2016-07-01 23:20:42.542    Option all = no
2016-07-01 23:20:42.542    Option recurse = yes
2016-07-01 23:20:42.542    Option archive = no
2016-07-01 23:20:42.542    Option service = yes
2016-07-01 23:20:42.542    Option confirm = yes
2016-07-01 23:20:42.542    Option sxl = yes
2016-07-01 23:20:42.546    Option max-data-age = 35
2016-07-01 23:20:42.546    Option EnableSafeClean = yes
2016-07-01 23:20:43.954    Installing updates...
2016-07-01 23:20:52.753    Option vdl-logging = yes
2016-07-01 23:20:53.759    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-07-01 23:20:53.760    Machine ID:    79ed590cf99f40a9a7da4d4895e7ca1b
2016-07-01 23:20:53.760    Component SVRTcli.exe version 2.5.5
2016-07-01 23:20:53.760    Component control.dll version 2.5.5
2016-07-01 23:20:53.760    Component SVRTservice.exe version 2.5.5
2016-07-01 23:20:53.760    Component engine\osdp.dll version 1.44.1.2250
2016-07-01 23:20:53.761    Component engine\veex.dll version 3.65.0.2250
2016-07-01 23:20:53.761    Component engine\savi.dll version 9.0.1.2250
2016-07-01 23:20:53.761    Component rkdisk.dll version 1.5.30.0
2016-07-01 23:20:53.761    Version info:    Product version    2.5.5
2016-07-01 23:20:53.761    Version info:    Detection engine    3.65.0
2016-07-01 23:20:53.761    Version info:    Detection data    5.26
2016-07-01 23:20:53.761    Version info:    Build date    4/5/2016
2016-07-01 23:20:53.761    Version info:    Data files added    558
2016-07-01 23:20:53.762    Version info:    Last successful update    (not yet updated)
2016-07-01 23:20:53.762    Error level 1
2016-07-01 23:20:53.801    Update progress: [I19463] Syncing product IDE528 127
2016-07-01 23:20:53.801    Update progress: [I19463] Syncing product IDE529 135
2016-07-01 23:20:53.801    Update progress: [I19463] Syncing product IDE530 160
2016-07-01 23:20:53.801    Update progress: [I19463] Syncing product IDE531 1
2016-07-01 23:20:53.801    Update progress: [I19463] Syncing product IDE532 1
2016-07-01 23:21:05.814    Update successful
2016-07-01 23:21:25.865    Option all = no
2016-07-01 23:21:25.883    Option recurse = yes
2016-07-01 23:21:25.883    Option archive = no
2016-07-01 23:21:25.883    Option service = yes
2016-07-01 23:21:25.883    Option confirm = yes
2016-07-01 23:21:25.883    Option sxl = yes
2016-07-01 23:21:25.883    Option max-data-age = 35
2016-07-01 23:21:25.883    Option EnableSafeClean = yes
2016-07-01 23:21:27.102    Option vdl-logging = yes
2016-07-01 23:21:27.109    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-07-01 23:21:27.109    Machine ID:    79ed590cf99f40a9a7da4d4895e7ca1b
2016-07-01 23:21:27.111    Component SVRTcli.exe version 2.5.5
2016-07-01 23:21:27.111    Component control.dll version 2.5.5
2016-07-01 23:21:27.111    Component SVRTservice.exe version 2.5.5
2016-07-01 23:21:27.112    Component engine\osdp.dll version 1.44.1.2250
2016-07-01 23:21:27.112    Component engine\veex.dll version 3.65.0.2250
2016-07-01 23:21:27.112    Component engine\savi.dll version 9.0.1.2250
2016-07-01 23:21:27.115    Component rkdisk.dll version 1.5.30.0
2016-07-01 23:21:27.115    Version info:    Product version    2.5.5
2016-07-01 23:21:27.116    Version info:    Detection engine    3.65.0
2016-07-01 23:21:27.116    Version info:    Detection data    5.26
2016-07-01 23:21:27.116    Version info:    Build date    4/5/2016
2016-07-01 23:21:27.116    Version info:    Data files added    558
2016-07-01 23:21:27.116    Version info:    Last successful update    7/1/2016 4:21:05 PM

2016-07-01 23:58:04.029    Could not open C:\hiberfil.sys
2016-07-01 23:58:22.103    Could not open C:\pagefile.sys
2016-07-02 00:23:27.198    >>> Virus 'Troj/Agent-AJTU' found in file C:\Program Files (x86)\The Sims 4\Game\Bin\rld.dll
2016-07-02 00:23:39.364    >>> Virus 'Troj/Agent-APRJ' found in file C:\Program Files (x86)\The Sims 4\Game\Bin\RldOrigin.dll
2016-07-02 00:23:52.790    >>> Virus 'Troj/Agent-APRJ' found in file C:\Program Files (x86)\The Sims 4\Game\Bin\RldOrigin_x64.dll
2016-07-02 00:26:21.857    Could not open C:\swapfile.sys
2016-07-02 00:26:22.203    Could not open C:\System Volume Information\{2de25c22-337f-11e6-9c81-e03f49e6da1b}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-02 00:26:22.204    Could not open C:\System Volume Information\{314f0811-3f23-11e6-9c88-e03f49e6da1b}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-02 00:26:22.205    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-02 00:26:22.205    Could not open C:\System Volume Information\{b6d34e11-30cf-11e6-9c76-e03f49e6da1b}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-02 00:26:22.206    Could not open C:\System Volume Information\{b7f65966-3806-11e6-9c83-e03f49e6da1b}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-02 00:27:30.222    Could not open C:\Users\Captain Shrek-it\AppData\Local\Google\Chrome\User Data\Profile 1\Current Session
2016-07-02 00:27:30.223    Could not open C:\Users\Captain Shrek-it\AppData\Local\Google\Chrome\User Data\Profile 1\Current Tabs
2016-07-02 00:59:32.353    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-07-02 00:59:32.356    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-07-02 00:59:37.248    Could not open C:\Windows\System32\config\BBI
2016-07-02 00:59:37.653    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-07-02 00:59:37.691    Could not open C:\Windows\System32\config\RegBack\SAM
2016-07-02 00:59:37.695    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-07-02 00:59:37.706    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-07-02 00:59:37.712    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-07-02 01:32:10.158    Could not open LOGICAL:0005:00000000
2016-07-02 01:32:10.181    Could not open F:\
2016-07-02 01:32:10.291    Could not open PHYSICAL:0081:0000:0000:0001
2016-07-02 01:32:10.328    The following items will be cleaned up:
2016-07-02 01:32:10.329    Troj/Agent-AJTU
2016-07-02 01:32:10.329    Troj/Agent-APRJ
 

[kevinf80]

Thanks for the log, if no remaing issues or concerns run the following to clean up...

To uninstall Zemana and Sophos use the following:

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information) Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required. Run the tool, the main GUI will populate with installed programs list, Left click on Program name to highlight that entry. Select Action from the Menu bar, then Uninstall from there follow the prompts. If Uninstall fails open the "Action" menu one more time and use "Force Removal" option. Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[parydairy]

Thank you SO much for all of your help, Kevin!!! It was very much appreciated, thank you.

[kevinf80]

You`re very welcome parydairy, it was a pleasure to work with you....

Regards,

Kevin...

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!