Jump to content

Recommended Posts

Hello,

Both my IE and Chrome browers redirect when I try to use them.  Both redirect google.com to google.ga and show pop-up ads in the corner and through new tabs.  Attached are the FRST files, the malwarebytes scan and the AdwCleaner logs that I ran when I thought I could clean it up myself.

 

Thanks in advance.

AdwCleaner[S00].txt AdwCleaner_Debug.log FRST.txt MalwarebytesLog.txt Addition.txt AdwCleaner[C00].txt

Share this post


Link to post
Share on other sites

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Lets start with the following.

[ 1 ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

[ 2 ]

Please use Google Chrome   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[ 3 ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )


Still in Chrome, press ALT+F then Settings
Click Extensions on the left.
Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.

[ 4 ]
Also see these Google - Chrome articles and take appropriate measures !!
Reset browser settings
https://support.google.com/chrome/answer/3296214

 

[ 5 ]

get & install the Malwarebytes Browser Guard extension for Chrome,

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

 

Let me know how you do.

Sincerely,

 

Share this post


Link to post
Share on other sites

Maurice,

Thanks for the reply.

Here we go:

[1] - read the article on disabling push notifications.  Followed the steps outlined in the blog and didn't have any notifications blocked or allowed. Set to "Ask before sending".

[2] - copied the link provided above and the google.com is changed to google.ga and "404 requested url not found". I have not signed into the chrome on this computer so I did not feel this was a big deal.  Please tell me if my assumption was wrong.

[3] - I was able to clear the browsing data fine. Checked all three outline above and changed the timeframe to "All time".

[4] - I reset Chrome to its original defaults.

[5] - Malwarebytes Browser Guard extension downloaded and installed.

 

Mike

Share this post


Link to post
Share on other sites

Hi Mike.

Thanks for the status update.  Glad to know #3, 4, 5.  Good to hear you have deleted the Cache & have added the Malwarebytes Browser Guard.

It is still a mystery why Google is changed to google.ga

Lets give the following a good try.

 

Let’s start by doing a new thorough scan with Malwarebytes for Windows.   The goal is to see whether there is an infection or P U P.

 

Let's do one new run with Malwarebytes for Windows.

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

image.png.a3256ed3896c8f7f4e1cafca5ac3cc6e.png



Then you can proceed to click on the blue button Quarantine selected.


In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

 

Share this post


Link to post
Share on other sites

Good afternoon, Mike.

Thanks for the report.  This scan-report from Malwarebytes is excellent.

 

Question for today:  Is the pc experiencing pop-up push ads on the Lower right-side of the monitor screen ?

That is what I need to know, and whether Chrome or IE or any other browser is now having unwanted advertising or redirects ?

I would like to have you run a different report tool, so I can review.

Please download and Save this next tool to the DESKTOP ( if possible) or else to the Downloads folder ( so you can get to it easily).
Please note that the results of the following scans are not necessarily indicative of malware on your computer.

RogueKiller Scan
Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

Save the file first,
Close any running programs that you started on your own ( if any).

Double-click  RogueKillerx64.exe to run the program.
Follow the prompts. If a browser window opens, close the window.
In the HOME tab, click Start Scan.
Upon completion, a browser window may open. Close this window.
 
Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.
Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.
Please attach the file in your next reply.


Thank you.

 

 

 

Share this post


Link to post
Share on other sites

Good afternoon,

I have not seen any pop-up ads in the lower right corner for the pc.  I have seen ads in the upper right in both ie and chrome.  I currently don't see them, but I saw them as recently as yesterday.

Attached are the results of the RogueKiller scan.

Thanks,

Mike

RogueScan.txt

Share this post


Link to post
Share on other sites

Hi.  Thanks for the RogueKiller report.  Lets do a new scan & then do some cleanups.

Right click on RogueKillerx64 .exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

We are only just focusing on the Registry.

When the scan completes Checkmark (tick) the following under Registry entries, ensure that all other entries are not Checkmarked

[Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{4f5f3124-1d9c-4803-887c-10511f44277f} -- C:\ProgramData\FineDealSoft\FPcmGnhIifwsOa.x64.dll (missing) -> Found


  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{b93d1cce-8b0b-4435-b9e9-b975ff77cd18} -- C:\ProgramData\SalesMagnet\zeIE0e4JSXB9nG.x64.dll (missing) -> Found


  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{E185BD1E-6008-95F3-B356-FA7D1E63C172} -- C:\ProgramData\LuckyCoupOn\JfBirDAT.x64.dll (missing) -> Found


  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{E42BB584-16F7-1FD3-2F48-0ED87158B36A} -- C:\ProgramData\FineaDeoAlSSouft\vha.x64.dll (missing) -> Found


  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{f79cad68-ff20-4921-a978-4d9afe6eb408} -- C:\ProgramData\TicTACCoupOno\Zmw6mjr2YHrgvP.x64.dll (missing) -> Found


  [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Description -- N/A -> Found

 

  Press the Delete button,

when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.

 

Also if you could, search your system for anything with these names

FineDealSoft

SalesMagnet

TicTACCoupOno

 

 

 

Share this post


Link to post
Share on other sites

Thanks for the reports.   Good cleanup.

My understanding & assumption is that browser redirects have not re-occurred.

Is there anything else you need?

Share this post


Link to post
Share on other sites

The .ga domain is the country code  for Gabon.

What country are you in ?

We may need to have you uninstall Chrome and then ( if you still want to use Chrome ) to do a new fresh install.

Lets see about getting a different report, please.There is a report tool named OTL , Oldtimer's ListIt
We need to create an OTL Report

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the otlicon.png icon on your desktop.
  4. Reply YES when prompted by Windows whether to allow it to Run
  5. Click the "Scan All Users" checkbox.
  6. Push the runscan.png button.
  7. Please have Lots of Patience as this report my well take several minutes.  Let it run.
  8. Two reports will open, please Attach the 2 files with your Reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

     

 

Share this post


Link to post
Share on other sites

Thank you for the OTL report files.   I will go thru them, and get back with you later.

 

Meantime, I have a specific question:  Since the Chrome browser can be kicked off from any of several places.

From where do you start Chrome ?    from a desktop shortcut ?  from a shortcut on the Taskbar ?  or else from the Start menu ?

Let me know about that.

Also,  I want you to start Chrome in a special way  and then let me know if the very same "redirects"  still happen.

You can force Chrome to start in reduced mode, called Incognito mode, by putting a parameter at startup.
First, close any prior instances of Chrome via Task Manager.
Then press Windows-key+R for the RUN option and then put a command line similar to this {do use COPY & PASTE}

chrome.exe -incognito



Starting Chrome in Incognito mode may work for you, and allow you to make "changes" or tweaks in it.
Note also, Incognito mode is also an option in the Chrome menu {as long as it can start}.
I would appreciate knowing if the Incognito mode helps.
 

Other suggestions, for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

Still in Chrome, press ALT+F then Settings
Click Extensions on the left.
Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.
 

Share this post


Link to post
Share on other sites

Ok.  The following is a custom fix trying to take care of Chrome situation.    I did not see mentions of "google.ca"  however this should help out.

This fix is for Dammit01  only.

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder.  

Start the Windows Explorer and then, open the Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF prompted by Windows to let this tool run, DO allow it to go forward.  Reply YES to let it proceed.


Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Let me know about the overall situation.

Sincerely,

 

Fixlist.txt

Share this post


Link to post
Share on other sites

Good afternoon,

I ran the custom fix and everything seemed to complete normally. Attached is the Fixlog.  

Now on to chrome. I tried to search for something using the address bar and this is what the result is:

 BrowserRedirectIssue.thumb.JPG.38302daa888a4a98d2fbcaaf999d2a99.JPG

I've seen myfirsttab.com and my-search.com both come up when trying to do simple searches. Still an infection somewhere it seems.

I tried the chrome.exe -incognito from the run command and it did not seem to make a difference.  I have started chrome about every different way since starting this cleanup: from the taskbar, from the desktop shortcut and from the start menu.  All act the same.

Thanks,

Mike 

Fixlog.txt

Share this post


Link to post
Share on other sites

Thanks for the log and information.  It seems likely I will wind up suggesting a Chrome uninstall and rebuild.

But lets do a special search.

We need to search for a few things with SystemLook:

Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop

Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. COPY & paste the entire text into the main text box:
 

:regfind

myfirsttab

:filefind

myfirsttab

:folderfind

myfirsttab

Click the Look button to start the scan

When finished, a notepad window will open with the results of the scan.

Please post this log in your next reply.

Edited by Maurice Naggar
re-edited typos

Share this post


Link to post
Share on other sites

Thank you for the report.   There was no file or registry entry "myfirsttab".

 

You should consider to reset Chrome back to defaults to completely clear out what is going on.

You can keep the bookmarks by exporting them - 
http://support.google.com/chrome/bin/answer.py?hl=en&answer=96816 Export Bookmarks


Follow instructions to remove all Google Sync data - 
http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/



Now we need to uninstall Chrome 

make sure to select the "Also delete your browsing data" tick box

https://support.google.com/chrome/answer/95319?hl=en-US

Re-install Chrome:
https://www.google.com/chrome/browser/desktop/

.

get &re- install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup

Let me know how you do.

Sincerely,


Share this post


Link to post
Share on other sites

When I enter the link to re-install chrome, ie brings up this:

BrowserRedirectIssue.thumb.JPG.723266ee30f284ca1d3029656780965d.JPG

Why does the pc think I'm in Gabon? There still has to be some sort of firewall/proxy issue going on here? :(

For now, I'm going to hold off on re-installing chrome.

Ideas?

Mike

 

 

Share this post


Link to post
Share on other sites

I still would suggest to uninstall & re-install Chrome.   Use some other browser, like EDGE  to do the Chrome setup download.

Just close the current Chrome / do a full EXIT.  download using  different browser.

 

Your Windows O S indicates  Country: United States

It is perhaps this Chrome that has some glitch  so it assumes or is set for Gabon.

This has no relation to proxy or firewall.   It is a glitched up Chrome.

Share this post


Link to post
Share on other sites

Good afternoon,

I deleted chrome off from my system.  The only browser that I have available now is IE11. 

When I go to the link to re-install chrome I get a "Database Exception" error.

Capture.thumb.JPG.9d82adb650cf1598123bcd6d4663c6bd.JPG

Can't download chrome.

Mike

Share this post


Link to post
Share on other sites

Sorry to hear all that.  Let's do what follows and get a report from the machine.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Attach Result.txt with your next reply.

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.