Jump to content

Recommended Posts

I have been working on removing a browser hijacker for over a month now. This program is super hardcore. I have been able to remove all virus and adware for decades ...since my 5 inch monochrome screen said you are stoned and had been infected from a 5 1/4 floppy disk. But this program has me BEAT and  I am here asking for HELP. This hijacker (adware...ransomware?) works on both Internet Explorer and chrome....essentially every time I open a page from from home screen I get one of the comcast survey.....You've been infected  ...call microsoft pop-ups/redirected page. I have run every virus/adware/ransomware/hijacker detection program and NOBODY can find it. 

 

windows 7 pro updated to today

avg free up to date 

2 hard drives both with a active copy of win 7 

Restore system is normally turned on

Programs tried

AVG

Norton "eraser"

malwarebytes free

adwcleaner

Emsisot Emergency Cleaner

BDantiransomware

 

 

 

I have unenabled all extensions in browsers uninstalled and reinstalled all browsers  I have also tried using system restore but that did not work also.....   

PLS HELP

Link to post
Share on other sites

Browser Hijackers will come onto your system either piggy backed on dubious free software, P2P conduits or maybe attached to emails or other social media, I would not expect this type of exploiter to migrate across networks, It needs to be carried or invited....

uBlock only blocks so whatever is causing the problem is still on your system somewhere I guess.. If you are happy with the fix can we close out....?

 

Link to post
Share on other sites

Thanks for those logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.
    'Could not load DDA driver'
     
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

user posted imageScan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

*.exe Mirror http://smeenk.247fixes.com/Tools/zoek.exe

Temporary disable your AntiVirus and AntiSpyware protection - instructions here or here
 
  • Right-click on user posted image icon and select user posted image Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
 
createsrpoint;
autoclean;
emptyclsid;
emptyalltemp;
ipconfig /flushdns >>"%temp%\log.txt";b
iedefaults;
FFdefaults;
CHRdefaults;
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)


Please include its content in your next reply. Don't forget to re-enable security software!

Let me see those logs, also tell me if there are any remaining issues or concerns....

Thank you,

Kevin...

fixlist.txt

Edited by kevinf80
typo
Link to post
Share on other sites

So here is what you suggested I try...... But after doing all you suggested......Zoek removed "ublock" from chrome and I was redirected to comcast survey within 20 seconds.....

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/10/17
Scan Time: 8:42 AM
Log File: 
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2986
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Dad-PC\Dad

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 352859
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 9 min, 34 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Fixlog.txt

zoek-results.log

Link to post
Share on other sites

Clean install Chrome:

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Install Google Chrome :

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en

Does that help
Link to post
Share on other sites

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.


Do not use the delete option until i`ve had a look at the log..
Link to post
Share on other sites

Once again thanks for the help....I know ad blockers will stop the redirects but actually killing the malware is a better solution here is text log...

 

RogueKiller V12.11.19.0 (x64) [Oct  9 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dad [Administrator]
Started from : C:\Users\Dad\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 10/13/2017 11:38:33 (Duration : 00:23:45)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_F02F\ControlSet001\Services\ALSysIO (\??\C:\Users\Dad\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_F02F\ControlSet002\Services\ALSysIO (\??\C:\Users\Dad\AppData\Local\Temp\ALSysIO64.sys) -> Found
[PUM.SearchPage] (X64) HKEY_USERS\RK_Dad_ON_D_886C\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\RK_Dad_ON_D_886C\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1832070874-2055757779-283554834-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1832070874-2055757779-283554834-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[VT.W32.HfsAdware.1073] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_F02F\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1365B37C-6B1B-440F-B823-3E3D25673E86} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\Dad\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (TCP-In)|Desc=Allow BitTorrent network traffic with Edge Traversal|Edge=TRUE| [x] -> Found
[VT.W32.HfsAdware.1073] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_F02F\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2555CD66-2784-48C1-B324-5C68134016BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|App=C:\Users\Dad\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (UDP-In)|Desc=Allow BitTorrent network traffic with Edge Traversal|Edge=TRUE| [x] -> Found
[VT.W32.HfsAdware.1073] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_F02F\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1365B37C-6B1B-440F-B823-3E3D25673E86} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\Dad\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (TCP-In)|Desc=Allow BitTorrent network traffic with Edge Traversal|Edge=TRUE| [x] -> Found
[VT.W32.HfsAdware.1073] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_F02F\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2555CD66-2784-48C1-B324-5C68134016BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|App=C:\Users\Dad\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (UDP-In)|Desc=Allow BitTorrent network traffic with Edge Traversal|Edge=TRUE| [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST750LX0 03-1AC154 SCSI Disk Device +++++
--- User ---
[MBR] 6269fef09f4fb84bf0672b6dccec86a1
[BSP] aab2b3909d9b2f04691fdec5d98ba69c : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 715401 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: KINGSTON  SV300S37A24 SCSI Disk Device +++++
--- User ---
[MBR] 134763d7ecdb150cc03d99d165a1e007
[BSP] b6979fc48640221623139c50c36cb6e0 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 228934 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 

Link to post
Share on other sites

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Post those logs, also give an update on any remaining issues or concerns....

Thank you,

Kevin
Link to post
Share on other sites

I ran Zemana and reran FRST neither found anything.....Sorry about not loading reports...but I am tired of chasing this ghost. As an aside I am running a second harddrive that contains win 7 as a operating system (as a backup for when win 7 hangs on main drive). It appears that when I run the anti-malware it is not running on the second hard drive....is that correct? 

Link to post
Share on other sites

This is frustrating for sure, set your system up for a "Clean Boot" that is all none system services disabled.. full instructions at the following link, expand option for windows 7

https://support.microsoft.com/en-gb/help/929135/how-to-perform-a-clean-boot-in-windows

With only system services active what happens....

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.