Jump to content

Recommended Posts

Hello there,

Since 2-3 days back, my browsers got hijacked by some virus, and it keeps redirecting to some websites, Malwarebytes can't find them when I search for it but Malwarebytes does block the outbound connection but even still some sites manage to redirect it.

Can anyone please help me with this? 

FRST_04-07-2017 12.02.41.txt

Addition_04-07-2017 12.02.41.txt

Scan.txt

Link to post
Share on other sites

  • Root Admin

Hello @fsGraphy and :welcome:

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin

Not much found so it's probably just a rogue setting in your browser. The computer is having a few errors in the Event Logs as well which are probably not due to malware but could be in part due to too strict of rules from Avast antivirus maybe. Difficult to tell for sure but needs to be addressed.

 

 

Application errors:
==================
Error: (07/07/2017 02:50:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MicrosoftEdge.exe, version: 11.0.10240.17319, time stamp: 0x58ba4983
Faulting module name: CoreUIComponents.dll, version: 0.0.0.0, time stamp: 0x58ba2e17
Exception code: 0xc0000005
Fault offset: 0x0000000000060ffd
Faulting process id: 0x2a00
Faulting application start time: 0x01d2f6f4d9098d5e
Faulting application path: C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Faulting module path: C:\WINDOWS\system32\CoreUIComponents.dll
Report Id: 476fc7c6-ca7f-4e10-a7d0-49cffe7bebd2
Faulting package full name: Microsoft.MicrosoftEdge_20.10240.17146.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

Error: (07/07/2017 02:49:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/07/2017 01:24:30 PM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0

Error: (07/06/2017 10:41:26 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Afrah)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (07/06/2017 06:09:30 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Afrah)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (07/06/2017 06:09:30 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Afrah)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (07/06/2017 06:09:30 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Afrah)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (07/06/2017 06:09:29 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Afrah)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (07/06/2017 12:14:51 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Afrah)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (07/06/2017 12:14:51 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Afrah)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.


System errors:
=============
Error: (07/07/2017 02:10:19 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (07/07/2017 01:24:26 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (07/07/2017 01:23:34 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (07/07/2017 01:20:22 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 0.0.0.0 with the system
having network hardware address 00-00-00-00-00-00. Network operations on this system may
be disrupted as a result.

Error: (07/07/2017 01:16:17 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {784E29F4-5EBE-4279-9948-1E8FE941646D} did not register with DCOM within the required timeout.

Error: (07/06/2017 10:41:26 PM) (Source: DCOM) (EventID: 10010) (User: Afrah)
Description: The server CortanaUI.AppXd4tad4d57t4wtdbnnmb8v2xtzym8c1n8.mca did not register with DCOM within the required timeout.

Error: (07/06/2017 10:41:25 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sync Host_Session6 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (07/06/2017 10:03:56 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {784E29F4-5EBE-4279-9948-1E8FE941646D} did not register with DCOM within the required timeout.

Error: (07/06/2017 06:09:30 PM) (Source: DCOM) (EventID: 10010) (User: Afrah)
Description: The server Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider did not register with DCOM within the required timeout.

Error: (07/06/2017 06:09:30 PM) (Source: DCOM) (EventID: 10010) (User: Afrah)
Description: The server Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider did not register with DCOM within the required timeout.


CodeIntegrity:
===================================
  Date: 2017-07-05 20:34:45.576
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-07-04 19:45:47.207
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-07-02 14:36:08.697
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-04-14 02:24:45.297
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-10-16 00:05:33.579
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-10-14 15:45:14.148
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-10-14 03:52:43.668
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-10-07 17:56:17.020
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-14 08:31:00.872
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-04 17:29:36.075
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

 

Please run the following.

 

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Then run a reset of your browsers

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and restart it and check it out for me please

Link to post
Share on other sites

I have done as you said, but it doesn\t seem to work.

And sometimes I am unable to post anything on this website unless I use Microsoft Edge (this browser, somehow, hasn't be affected by the referral virus)

 

And the second photo is of the popups which occur, while some of them manage to open anyways.

teeest.PNG

Popup.PNG

Edited by fsGraphy
Link to post
Share on other sites

  • Root Admin

Please go into Control Panel, Programs, Add/Remove and uninstall all versions of Java.

Next,

Please reveiw the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

 

Next,

Make sure that your DATE and TIME on the computer are correct.

Make sure you FULLY disable your antivirus and run the following fix.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin

Open Opera and try it. Does it too have an issue?

I'm guessing, that Chrome is the only browser now having an issue. If you visit sites with Opera or Edge they probably go where they are supposed to go. With Chrome they may or may not go to the right place?

 

 

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

Yes, many routers don't work with all browsers. Some only work with Internet Explorer.

Okay, browse around to other sites, not your router. Let me know what issues you have. As I see it, only Chrome will be having an issue sending you to the wrong sites from time to time. The other browsers probably work fine.

Let me know if that's true or not.

 

Link to post
Share on other sites

  • Root Admin

Yes, thank you. That is what I thought. Chrome can be very difficult to clean the redirect from.

Please export your bookmarks in Chrome. Go to your Chrome account for Sync and disable and delete it. If you use a phone do make sure the phone sync is also removed.

Then uninstall Chrome and restart the computer.

Then run a new FRST scan with a new Additions.txt log as well and post those back. I'll help you finish the removal of Chrome. Then we'll verify no other issues, then we'll reinstall Chrome

Ron

 

Link to post
Share on other sites

  • Root Admin


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.