Stubborn browser hijackers

[pkmorgan]

Hi, 

I have a couple of hijackers that keep appearing after i've run the malwarebytes program and followed the steps to remove them.  One is the yourtv and the other is Startsear.info?

I think so anyway. 

I hope you all can help. 

Thanks, and I recommend malwarebytes all the time.. 

 

Addition.txt

FRST.txt

[Android8888]

Hello pkmorgan and  Forums.

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Read all of my instructions very carefully because any mistake you can make during the cleaning process may have serious consequences such as leaving the computer unbootable.

Please DO NOT run any tools on your own or make any other changes to your computer and follow the directions in the order listed during the malware removal process, otherwise you can worsen the situation rather than solve it.

Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator).

Please run one scan at a time.

Once started the malware removal process should be completed. Even if the computer appears to be running better at some point, it may still be infected as some infections are difficult to remove and can leave remnants on the System that need to be removed also.

With that being said let's start.

Going over your logs I noticed that you have Torrent installed.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
  

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall Torrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Programs and Features.
NOTE: If you wish to keep it, please do not use it until your computer is cleaned.

Please right-click on Start > select Control Panel > Programs and Features and remove Coupon Printer for Windows. This application is considered a PUP (Potentially Unwanted Program) that can install Adware in your System.

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt in your next reply;
  

Next,

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator;
• Press on any key to launch the scan and let it complete;
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply;
  

Next,

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator;
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. Please attach that log in your next reply;
  

Next,

• Open Malwarebytes;
• On the left pane select Settings;
• Select the Protection tab;
• Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default.
• Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient.
• When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
• Please attach the log in your next reply.

In your next reply please attach:
The fixlog.txt;
The JRT.txt log;
The AdwCleaner clean log;
The Malwarebytes log.

Let me know how is the computer running at this moment.

Thank you.

Rui

fixlist.txt

[pkmorgan]

Hi Rui, 

I followed the instructions to the letter. i removed utorrents, removed coupon printer, ran the programs and attached the files. After it rebooted Malwarebytes keeps closing chrome. I found fqwvv.exe running in the background. 

Please advise. 

Do i need to run another FRST scan?

 

Thank you so much for your help. 

Patrick 

malwarebyteslog.txt

JRT.txt

AdwCleaner[C4].txt

Fixlog.txt

[Android8888]

Hello pkmorgan.

Okay, thank you for those logs.

10 hours ago, pkmorgan said:

Do i need to run another FRST scan?

Yes. Please re-run FRST.

Make sure the Addition.txt box is check-marked and click the Scan button.

After the scan is complete please attach the two new logs (FRST.txt and Addition.txt) for my review and wait for further instructions.

 

Thank you.

Rui

[pkmorgan]

Hi Rui,

I got your reply this morning. when I went to open my internet at home my browser was straight hijacked again.

Also do I need to reboot and start fresh before I run the FRST scan? or just do it when I get home?

 

Thanks

Patrick

[Android8888]

Hello Patrick.

You can restart the computer and then re-run FRST.

Before running the new scan make sure the Addition.txt box is check-marked.

After the scan is complete please attach the new two logs (FRST.txt and Addition.txt) in your next reply for my review.

Thank you.

Rui

[pkmorgan]

HI Rui, 

Here are the latest scans

FRST.txt

Addition.txt

[Android8888]

Hello pkmorgan.

Thank you for the logs.

You have code integrity errors that could be due to disk controller or hard drive issues. It's best you run a full disk check to make sure there are no errors on the hard drive. Running the script below (fixlist.txt) will also try to invoke the disk check for you on restart. Please be patient and let it finish.

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt in your next reply;
  

 

Please download Zemana AntiMalware and save it to your Desktop.

• Right-click on the icon and select Run as administrator to install the program.
• Click Yes to accept the security warning.
• Once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.
  Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
• Click on the Back button.
• On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
• Now click File > Save As, then choose your Desktop and click the Save button.
• Please attach the saved report in your next reply.

Please attach the following logs in your next reply:
fixlog.txt;
Zemana log;

Let me know what issues or concerns are you still having with your computer.

Thank you.

Rui

fixlist.txt

[pkmorgan]

Hi Rui, 

here are the zemana log and the fixlog. 

I also ran the malwarebytes too, and it still keeps finding the same thing after i quarantine it and delete it

2017.05.11-15.35.02-i0-t92-d0.txt

malwarebytes log.txt

Fixlog.txt

[Android8888]

Hello pkmorgan.

 

Please download, install and perform a scan with the following tool. NOTE: The entries that it can find may not be all bad so DO NOT delete anything. Just post the scan log for my review.

Please download RogueKiller 32/64 Bits Installer (setup.exe) by Tigzy and save it to your Desktop.

• Right click on the file setup.exe and select Run as administrator to install the tool.
• Click Yes to accept any security warnings that may appear.
• Choose the installation language and click OK.
• Checkmark "Install 32 and 64 bits versions" and click Next. Follow the steps to install the tool.
• Now close all programs and browsers.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the RogueKiller icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Scan tab and then click the Start Scan button.
• Wait until the scan has finished. This may take some time consuming.
• Once finished click on Open Report. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
• Close RogueKiller.
  

Please attach the RKlog.txt to your next reply.

Thank you.

Rui

[pkmorgan]

Hi Rui, 

I actually ran malwarebytes and quarantined and removed one trojan file, and now i've rebooted and ran several deep root scans, and nothing has come up!

I think you got it!

everything appears to be running normally now. 

Thanks!

Patrick

[Android8888]

Hello pkmorgan.

I actually ran malwarebytes and quarantined and removed one trojan file, and now i've rebooted and ran several deep root scans, and nothing has come up! I think you got it! everything appears to be running normally now.

This is great and you are very welcome!

Even though the computer appears to be running fine, it is very important to check that there are no remnants of the infection so let's check for leftovers with ESET Online Scanner. This is a very thorought scan and it may take some time to complete but it's worth it.

Please scan your computer with ESET Online Scanner.

• Click on this link to open ESET Online Scanner in a new window.
  
  1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
  2. Close all your programs and browsers.
  3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
  4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.

• Check mark Download latest version of ESET Online Scanner and click the Accept button.
• Click Yes to accept any security warnings that may appear.
• Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
• Then click Advanced settings and check mark the following options:
  
  • Enable detection of potentially unsafe applications
  • Clean threats automatically
    
• Click the Scan button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats.
• Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.
  

Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

 

Please download Security Analysis by Rocket Grannie from here

• Save it to your Desktop.
• Close your security software to avoid potential conflicts.
• Double click RGSA.exe
• Click OK on the copyright-disclaimer
• When finished, a Notepad window will open with the results of the scan.
• The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
• Please copy and paste the contents of that log in this topic.
  

Note: If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.

 

In your next reply please copy and paste the contents of the ESET log (if it produced one) and attach the SALog.txt.

Thank you.

Rui

 

[exile360]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.