Jump to content

Can't remove a redirect


Recommended Posts

Here's what I know.

Symptoms started maybe a week or two ago. The only unfamiliar program installed in that timeframe is Dual-Core Optimizer by AMD (I have intel and nvidia) but I'm scared to uninstall any unfamiliar programs in case it breaks my PC (Deleted wrong things in the past, did not end well). The redirect doesn't get noticed by any antivirus I've tried - MWB, HMP, AdwCleaner and more. It has hijacked both Firefox and IE. Resetting the brower removed it temporarily. It only covers the whole page of "suspicious" websites for movie streaming and dowloading (I trust these sites and have used them long before this adware popped up). Inspecting the element reveals this code (< and > removed):

script type="text/javascript" src="http://creative.speednetwork14.com/speednetwork14/tags/xpopup/xpopup.js?ap=1303" /script

a style="width:100%; height:100%; display:block!important; position:fixed; top:0px; left:0px;cursor: pointer;z-index: 2147483647;" onclick="mainWidget_globalTm.cmqdngnimgnfvziaspnwyhimhihtkh('PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQ+ZG9jdW1lbnQubG9jYXRpb24uaHJlZj0naHR0cDovL3BvcC5yZWRpcmVjdC5hZHNqdWRvLmNvbS9yZC9yZHAuaHRtbD91PWh0dHAlM0ElMkYlMkZyZWtvdmVyci5hZGsyeC5jb20lMkZpbXAlM0ZwJTNENzQ5OTQ5MDklMjZjdCUzRGh0bWwlMjZhcCUzRDEzMDMlMjZpc3MlM0QwJTI2ZiUzRDAlMjZhYiUzRDUwMDMlMjZwc2lkJTNEcmVrb3ZlcnImY2w9ZGYwM2U0N2UtOWVmYy1jMzVlLTU0YjktYmQwMzNjYzIxM2E1Jzwvc2NyaXB0PjwvYm9keT48L2h0bWw+');mainWidget_globalTm.close_all();" /a

Removing this code is the only workaround I've found.

FRST logs attached. Hope you're able to help me get rid of this nuisance.

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello Dragonbahn and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs in your reply, also ell me if there are any remaining issues or concerns...

Thank you,

Kevin..

 

Link to post
Share on other sites

MWB Log attached

AdwCleaner log:

# AdwCleaner v6.040 - Logfile created 07/12/2016 at 20:19:13
# Updated on 02/12/2016 by Malwarebytes
# Database : 2016-12-07.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Biohazard - REBEL_SCUM
# Running from : C:\Users\Biohazard\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

 

***** [ Services ] *****

 

***** [ Folders ] *****

 

***** [ Files ] *****

 

***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

 

***** [ Registry ] *****

 

***** [ Web browsers ] *****

 

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2116 Bytes] - [10/11/2016 12:15:17]
C:\AdwCleaner\AdwCleaner[C2].txt - [848 Bytes] - [07/12/2016 20:19:13]
C:\AdwCleaner\AdwCleaner[S0].txt - [2071 Bytes] - [10/11/2016 12:14:39]
C:\AdwCleaner\AdwCleaner[S1].txt - [1321 Bytes] - [10/11/2016 12:23:03]
C:\AdwCleaner\AdwCleaner[S2].txt - [1392 Bytes] - [28/11/2016 18:11:42]
C:\AdwCleaner\AdwCleaner[S3].txt - [1465 Bytes] - [05/12/2016 17:05:57]
C:\AdwCleaner\AdwCleaner[S4].txt - [1532 Bytes] - [07/12/2016 20:18:49]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1285 Bytes] ##########

 

When I tried to run Junkware removal I got the error 0x80070002 on validating restore point. Should I continue or would that risk bricking my computer?

 

MWBLog.txt

Link to post
Share on other sites

When I tried to run Junkware removal I got the error 0x80070002 on validating restore point. Should I continue or would that risk bricking my computer?

Retried without an error:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 7 Home Premium x64
Ran by Biohazard (Administrator) on 2016-12-07 at 20:34:11,00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


File System: 27

Successfully deleted: C:\Users\Biohazard\AppData\Local\{09402DC5-6F30-4E66-AC8B-225CBBFF4D11} (Empty Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\{7E7EDAAF-1C69-435B-B64F-4971273D3300} (Empty Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Roaming\speedrunnerslog.txt (File)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20NWPJ7L (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\33L110U9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3TWFWQAM (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KMXKCU3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CP0QIYCA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LWE7ORF4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QETLL4R6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Biohazard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QVP5CM77 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20NWPJ7L (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\33L110U9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3TWFWQAM (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KMXKCU3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CP0QIYCA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LWE7ORF4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QETLL4R6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QVP5CM77 (Temporary Internet Files Folder)

 

Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} (Registry Key)

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016-12-07 at 20:35:39,45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Just now scanning through the files reported in the log I remembered that files in the Internet Explorer folder were repetedly reported as infected every time I removed one of the infected files a while back but since I didn't see any actual symptoms I wrote it off as a false alarm and gave it permission. Dumb idea? Dumb idea.

Sophos is taking it's sweet old time so I'll update tomorrow.

Link to post
Share on other sites

26 minutes ago, kevinf80 said:

What is the current status of your system, do you have any remaining issues or conceerns....?

No change sadly :(

But as previosly stated, there is a workaround. My only concern is what kind of breach in security and stability this may cause to my system if any. No antivirus were able to detect a breach of any kind so I'm starting to wonder if it even is a virus.

Link to post
Share on other sites

6 minutes ago, Dragonbahn said:

No change sadly :(

But as previosly stated, there is a workaround. My only concern is what kind of breach in security and stability this may cause to my system if any. No antivirus were able to detect a breach of any kind so I'm starting to wonder if it even is a virus.

I just found the problem. I tried starting firefox in secure mode to see if the popup dissapeared and it did. My only plugin is uBlock origin. So when I started firefox again and turned off uBlock the popup dissapeared.

You have the power of a mum. Helps me search in the wrong places until I find the right place to look...

Now the only thing I'm wondering is what JRT found and removed.

Thanks for the very professional support.

Edited by Dragonbahn
Link to post
Share on other sites

The issue at hand is a redirect that affects FireFox and Internet Explorer... Lets go for a full clean install of Firefox, see if that clears the issue...

Make a "Clean" install Firefox:

Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks:

https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Next,

Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later...

Next,

Lets totally remove Firefox and start over.

Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions...

Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present):

(32-bit Windows) C:\Program Files\Mozilla Firefox
(64-bit Windows) C:\Program Files (x86)\Mozilla Firefox

It is essential the installation folder is removed. Re-boot your system when that is completed....

Next,

To remove all remaining data and profile information...

Press "Windows key + R" to open the Run box
In the Run box, type in or copy and paste %APPDATA%
Click OK. A Windows Explorer window will appear.
In this window, choose/open in succession Mozilla > Firefox > Profiles.
Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete.

Re-boot your system when complete!

Next,

Use the Mozilla Firefox installer to reinstall your Browser....

When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc....

Ensure to use search to find and install AdBlock plus, Flashblock and DrWeb Anti-Virus Link Checker plus any other addons you normally use.... Now try surfing, see what happens...

 

Link to post
Share on other sites

I don`t understand the language...? if that is an exception I`d definitely remove it... then scan with the following:

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.