Jump to content

I've accidentally installed a bundled browser hijacker


Recommended Posts

It's not letting me install ad block to chrome and also preventing installation of malwarebytes, there were some files called "gB59E.tmp.exe" and variations of those that run as processes in the background, i've done 3 scans with avast and it seemed to have deleted some virus' that came installed but this one thing seems to always come back and prevent things. 

I get an error "Runtime Error (at 14:76) could not call proc" when trying to install malwarebytes and the download for adblock fails. Also, trying to download and run chrome installer from internet explorer mentions the file has been deleted or moved, unless I manually save it somewhere myself and then run it. 

 

Here are the Farbar recovery scan tool log files, i've been lurking and seen some threads mentioning their use. Hope they provide some insight, thanks!

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello Onepercent and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes and is updated do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

If Malwarebytes will not install try to install via Chameleon, instructions at following link:

https://www.malwarebytes.com/chameleon/

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...
 
One other point, this private IP address is used for internet connection DNS Servers 10.0.0.138 Is known to you and trusted..?

Thank you,

Kevin...

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

Okay, I couldn't install Malware bytes normally so I used chameleon to install and run, because of the nature of chameleon doing everything automatically I couldn't set any specifics such as rootkits and archives before the scan , though it seemed they were already checked by default after the scan.

The "Fixlog" is attached

And both Mbam-log and the protection log for today are included as attached

As for the 10.0.0.138 DNS, that is my internet router, which is trusted.

 

EDIT: The Mbam and protection logs are in XML format due to me not being able to specify because of chameleon automating the scan and aren't supported by this forum, what should I do? 

Fixlog.txt

Edited by Onepercent
Link to post
Share on other sites

I do not want logs in XML format.....

Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Scan Report" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

 

Link to post
Share on other sites

I'm sorry but the malwarebytes no longer has the section you are directing me in, the malwarebytes program is no longer in free trial and the UI doesn't have those options. 

EDIT: Well, This is embarrassing, This is my first time using malwarebytes, hope you understand.. So on the free version after the trial period ends, I can do what you asked via the history, and within the application logs. I apologize for my incompetence. 

 

 

Mbam Logfile.txt

Protection Logfile.txt

Edited by Onepercent
Link to post
Share on other sites

Thanks for those logs, continue with the following:

Download AdwCleaner by Xplode onto your Desktop.

Or from this Mirror
 
  • Double click on Adwcleaner.exe to run the tool
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin

 

Link to post
Share on other sites

Okay, I'm resuming the fixing process. I haven't installed anything new or changed anything apart from saving some word documents so hopefully nothing should have changed in the meantime. Expect results in the hours it take for the scan to complete. 

Edited by Onepercent
Link to post
Share on other sites

Run the following scan and post its log...

Please download Gmer from Here by clicking on the "Download EXE" Button.
 
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    Sections
    IAT/EAT
    Show All
    ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.



Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…

Thank you,

Kevin...

Link to post
Share on other sites

GMER log is clean, nothing sinister found... Run Malwarebytes Cleaner Utility, available at the following link:

https://downloads.malwarebytes.com/file/mb_clean

Ensure to reboot when the utility completes...

Next,

Set windows up for a "Clean Boot" Instructions here: https://support.microsoft.com/en-sg/help/929135/how-to-perform-a-clean-boot-in-windows

Next,

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

Does the install complete?

 

Link to post
Share on other sites

I downloaded the malwarebytes cleaner which completely removed any malwarebytes program, I then set a clean boot and restarted (which is what the windows instructions told me to do). But now trying to install malwarebytes is blocked by the administrator and is preventing me from using the malwarebytes installer, shall I disable clean boot and then install malwarebytes? then AFTER installation initiate clean boot?

Link to post
Share on other sites

The clean boot option disables all 3rd party services, no MS services are changed. I had hoped clean boot would let Malwarebytes install... The same link with instructions for clean boot also has instructions to reset back to Normal mode. Do that please...

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

When RKill completes try Malwarebytes install one more time..

 

Link to post
Share on other sites

I rebooted back into normal mode via msconfig settings. 

I then tried installing malwarebytes, but still showed the red "Admin blocked the install 'Not trusted' etc"

I then ran Rkill from the desktop and it successfully completed its process from the dos window, logfile is attached in this reply.. 

I then tried installing malwarebytes again, but it still shows the red "Admin blocked the install 'Not trusted' etc" this is really weird.. I await further commands. 

Rkill.txt

Link to post
Share on other sites

Do the following:

a)    Click Start
b)    In the search box type regedit select ok to open registry editor
c)    Select  Edit then Permissions
d)    Select Advanced tab and Select Permissions from tab menu

Have a look at your listed Administator account, what are the permissions...?

Capture.JPG

Link to post
Share on other sites

aLhThy1l.jpg\

SZxUUts.png?1

 

The Administrator is on full control. Also, the other image is what the admin blocked prompt looks like when I try to run the malwarebytes installer, I used my phone to take a pic because print screen doesn't work when it shows up.

Edited by Onepercent
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.