Dammit01 Posted September 9, 2019 ID:1333782 Share Posted September 9, 2019 Hello, Both my IE and Chrome browers redirect when I try to use them. Both redirect google.com to google.ga and show pop-up ads in the corner and through new tabs. Attached are the FRST files, the malwarebytes scan and the AdwCleaner logs that I ran when I thought I could clean it up myself. Thanks in advance. AdwCleaner[S00].txt AdwCleaner_Debug.log FRST.txt MalwarebytesLog.txt Addition.txt AdwCleaner[C00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 9, 2019 ID:1333907 Share Posted September 9, 2019 Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. Lets start with the following. [ 1 ] See this article on our Malwarebytes Bloghttps://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". [ 2 ] Please use Google Chrome to go to https://www.google.com/settings/chrome/sync and sign into your account. Scroll down until you see the "reset sync" button and click on the button At the prompt click on "Ok". [ 3 ] for Chrome, while Chrome is running: Press & hold SHIFT+CTRL+Del keys on keyboard to get menu for clearing browsing data: Check mark the line "Browsing history" Check mark the line "Download history" Check mark the lined "Cached images and files" and press Clear Data button ( in blue ) Still in Chrome, press ALT+F then Settings Click Extensions on the left. Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust. [ 4 ] Also see these Google - Chrome articles and take appropriate measures !! Reset browser settingshttps://support.google.com/chrome/answer/3296214 [ 5 ] get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. Let me know how you do. Sincerely, Link to post Share on other sites More sharing options...
Dammit01 Posted September 9, 2019 Author ID:1333911 Share Posted September 9, 2019 Maurice, Thanks for the reply. Here we go: [1] - read the article on disabling push notifications. Followed the steps outlined in the blog and didn't have any notifications blocked or allowed. Set to "Ask before sending". [2] - copied the link provided above and the google.com is changed to google.ga and "404 requested url not found". I have not signed into the chrome on this computer so I did not feel this was a big deal. Please tell me if my assumption was wrong. [3] - I was able to clear the browsing data fine. Checked all three outline above and changed the timeframe to "All time". [4] - I reset Chrome to its original defaults. [5] - Malwarebytes Browser Guard extension downloaded and installed. Mike Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 9, 2019 ID:1333929 Share Posted September 9, 2019 Hi Mike. Thanks for the status update. Glad to know #3, 4, 5. Good to hear you have deleted the Cache & have added the Malwarebytes Browser Guard. It is still a mystery why Google is changed to google.ga Lets give the following a good try. Let’s start by doing a new thorough scan with Malwarebytes for Windows. The goal is to see whether there is an infection or P U P. Let's do one new run with Malwarebytes for Windows. Start Malwarebytes. Click Settings. Click Protection tab & scroll down to Scan options. On the section "Potential Threat Protection" look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to "Always detect PUPS ". and look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to "Always detect PUM ". and scroll all the way down to the section Automatic Quarantine On the line "Automatically quarantine detected malware" be sure it is ON Then once all set there, click on SCAN button Then insure Threat scan has a check mark. Then click Start scan. Review the results list. Then I would suggest you make sure all lines have a check mark To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected) to be selected for removal. Be sure each line is checked. Then you can proceed to click on the blue button Quarantine selected. In Malwarebytes. Click the Reports button ( on the left ) Look for the "Scan Report" that has the most recent Date and time. When located, click the check box for it and click on View Report. Then click the Export button at the bottom left. Then select Text File (*.txt) Put in a name for that file and remember where the file is created. Then attach that file with your next reply Link to post Share on other sites More sharing options...
Dammit01 Posted September 10, 2019 Author ID:1333999 Share Posted September 10, 2019 Good morning, Here are the results of the scan. Mike Scan091019.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 10, 2019 ID:1334086 Share Posted September 10, 2019 Good afternoon, Mike. Thanks for the report. This scan-report from Malwarebytes is excellent. Question for today: Is the pc experiencing pop-up push ads on the Lower right-side of the monitor screen ? That is what I need to know, and whether Chrome or IE or any other browser is now having unwanted advertising or redirects ? I would like to have you run a different report tool, so I can review. Please download and Save this next tool to the DESKTOP ( if possible) or else to the Downloads folder ( so you can get to it easily). Please note that the results of the following scans are not necessarily indicative of malware on your computer. RogueKiller Scan Please download RogueKiller (x64) using the link below. → http://download.adlice.com/api?action=download&app=roguekiller&type=x64 Save the file first, Close any running programs that you started on your own ( if any). Double-click RogueKillerx64.exe to run the program. Follow the prompts. If a browser window opens, close the window. In the HOME tab, click Start Scan. Upon completion, a browser window may open. Close this window. Important: Please do not have RogueKiller remove any detected items. Click the HISTORY tab followed by Scan Reports. Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop. Please attach the file in your next reply. Thank you. Link to post Share on other sites More sharing options...
Dammit01 Posted September 10, 2019 Author ID:1334098 Share Posted September 10, 2019 Good afternoon, I have not seen any pop-up ads in the lower right corner for the pc. I have seen ads in the upper right in both ie and chrome. I currently don't see them, but I saw them as recently as yesterday. Attached are the results of the RogueKiller scan. Thanks, Mike RogueScan.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 11, 2019 ID:1334118 Share Posted September 11, 2019 Hi. Thanks for the RogueKiller report. Lets do a new scan & then do some cleanups. Right click on RogueKillerx64 .exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" We are only just focusing on the Registry. When the scan completes Checkmark (tick) the following under Registry entries, ensure that all other entries are not Checkmarked [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{4f5f3124-1d9c-4803-887c-10511f44277f} -- C:\ProgramData\FineDealSoft\FPcmGnhIifwsOa.x64.dll (missing) -> Found [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{b93d1cce-8b0b-4435-b9e9-b975ff77cd18} -- C:\ProgramData\SalesMagnet\zeIE0e4JSXB9nG.x64.dll (missing) -> Found [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{E185BD1E-6008-95F3-B356-FA7D1E63C172} -- C:\ProgramData\LuckyCoupOn\JfBirDAT.x64.dll (missing) -> Found [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{E42BB584-16F7-1FD3-2F48-0ED87158B36A} -- C:\ProgramData\FineaDeoAlSSouft\vha.x64.dll (missing) -> Found [Suspicious.Path (Potentially Malicious)] (X64) HKEY_CLASSES_ROOT\CLSID\{f79cad68-ff20-4921-a978-4d9afe6eb408} -- C:\ProgramData\TicTACCoupOno\Zmw6mjr2YHrgvP.x64.dll (missing) -> Found [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Description -- N/A -> Found Press the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply. Also if you could, search your system for anything with these names FineDealSoft SalesMagnet TicTACCoupOno Link to post Share on other sites More sharing options...
Dammit01 Posted September 11, 2019 Author ID:1334196 Share Posted September 11, 2019 Good morning, RogueKiller scan is finished. Report(s) attached. The only reference I can find to FineDealSoft, SalesMagnet or TicTacCoupOno are in the AdwCleaner log files that I ran before we started this process. Mike RogueScan0911.txt RogueScanRemoval0911.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 11, 2019 ID:1334267 Share Posted September 11, 2019 Thanks for the reports. Good cleanup. My understanding & assumption is that browser redirects have not re-occurred. Is there anything else you need? Link to post Share on other sites More sharing options...
Dammit01 Posted September 11, 2019 Author ID:1334271 Share Posted September 11, 2019 Maurice, When you open chrome and go to google.com it still redirects to google.ga. Mike Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 11, 2019 ID:1334274 Share Posted September 11, 2019 The .ga domain is the country code for Gabon. What country are you in ? We may need to have you uninstall Chrome and then ( if you still want to use Chrome ) to do a new fresh install. Lets see about getting a different report, please.There is a report tool named OTL , Oldtimer's ListItWe need to create an OTL Report Please download OTL from one of the following mirrors: This is THE Mirror Save it to your desktop. Double click on the icon on your desktop. Reply YES when prompted by Windows whether to allow it to Run Click the "Scan All Users" checkbox. Push the button. Please have Lots of Patience as this report my well take several minutes. Let it run. Two reports will open, please Attach the 2 files with your Reply: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized Link to post Share on other sites More sharing options...
Dammit01 Posted September 11, 2019 Author ID:1334278 Share Posted September 11, 2019 Maurice, Here are the results. Thanks, Mike Extras.Txt OTL.Txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 11, 2019 ID:1334323 Share Posted September 11, 2019 Thank you for the OTL report files. I will go thru them, and get back with you later. Meantime, I have a specific question: Since the Chrome browser can be kicked off from any of several places. From where do you start Chrome ? from a desktop shortcut ? from a shortcut on the Taskbar ? or else from the Start menu ? Let me know about that. Also, I want you to start Chrome in a special way and then let me know if the very same "redirects" still happen. You can force Chrome to start in reduced mode, called Incognito mode, by putting a parameter at startup. First, close any prior instances of Chrome via Task Manager. Then press Windows-key+R for the RUN option and then put a command line similar to this {do use COPY & PASTE} chrome.exe -incognito Starting Chrome in Incognito mode may work for you, and allow you to make "changes" or tweaks in it. Note also, Incognito mode is also an option in the Chrome menu {as long as it can start}.I would appreciate knowing if the Incognito mode helps. Other suggestions, for Chrome, while Chrome is running: Press & hold SHIFT+CTRL+Del keys on keyboard to get menu for clearing browsing data: Check mark the line "Browsing history" Check mark the line "Download history" Check mark the lined "Cached images and files" and press Clear Data button ( in blue ) Still in Chrome, press ALT+F then Settings Click Extensions on the left. Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 11, 2019 ID:1334346 Share Posted September 11, 2019 Ok. The following is a custom fix trying to take care of Chrome situation. I did not see mentions of "google.ca" however this should help out. This fix is for Dammit01 only. Please Close and save any open work files before you start this next step. It will involve a Windows Restart at the end of it. I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair. Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads folder The tool named FRST64.exe tool is already on the Downloads folder. Start the Windows Explorer and then, open the Downloads folder. Double click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF prompted by Windows to let this tool run, DO allow it to go forward. Reply YES to let it proceed. Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Let me know about the overall situation. Sincerely, Fixlist.txt Link to post Share on other sites More sharing options...
Dammit01 Posted September 12, 2019 Author ID:1334557 Share Posted September 12, 2019 Good afternoon, I ran the custom fix and everything seemed to complete normally. Attached is the Fixlog. Now on to chrome. I tried to search for something using the address bar and this is what the result is: I've seen myfirsttab.com and my-search.com both come up when trying to do simple searches. Still an infection somewhere it seems. I tried the chrome.exe -incognito from the run command and it did not seem to make a difference. I have started chrome about every different way since starting this cleanup: from the taskbar, from the desktop shortcut and from the start menu. All act the same. Thanks, Mike Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 12, 2019 ID:1334562 Share Posted September 12, 2019 (edited) Thanks for the log and information. It seems likely I will wind up suggesting a Chrome uninstall and rebuild. But lets do a special search. We need to search for a few things with SystemLook: Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. COPY & paste the entire text into the main text box: :regfind myfirsttab :filefind myfirsttab :folderfind myfirsttab Click the Look button to start the scan When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Edited September 12, 2019 by Maurice Naggar re-edited typos Link to post Share on other sites More sharing options...
Dammit01 Posted September 12, 2019 Author ID:1334563 Share Posted September 12, 2019 Results of SystemLook scan. Mike SystemLook.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 12, 2019 ID:1334571 Share Posted September 12, 2019 Thank you for the report. There was no file or registry entry "myfirsttab". You should consider to reset Chrome back to defaults to completely clear out what is going on.You can keep the bookmarks by exporting them - http://support.google.com/chrome/bin/answer.py?hl=en&answer=96816 Export BookmarksFollow instructions to remove all Google Sync data - http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/Now we need to uninstall Chrome make sure to select the "Also delete your browsing data" tick boxhttps://support.google.com/chrome/answer/95319?hl=en-USRe-install Chrome:https://www.google.com/chrome/browser/desktop/. get &re- install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup Let me know how you do. Sincerely, Link to post Share on other sites More sharing options...
Dammit01 Posted September 12, 2019 Author ID:1334572 Share Posted September 12, 2019 When I enter the link to re-install chrome, ie brings up this: Why does the pc think I'm in Gabon? There still has to be some sort of firewall/proxy issue going on here? For now, I'm going to hold off on re-installing chrome. Ideas? Mike Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 12, 2019 ID:1334580 Share Posted September 12, 2019 I still would suggest to uninstall & re-install Chrome. Use some other browser, like EDGE to do the Chrome setup download. Just close the current Chrome / do a full EXIT. download using different browser. Your Windows O S indicates Country: United States It is perhaps this Chrome that has some glitch so it assumes or is set for Gabon. This has no relation to proxy or firewall. It is a glitched up Chrome. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 13, 2019 ID:1334591 Share Posted September 13, 2019 I have done some additional searching on the Chrome redirect. You truly need to look on this Youtube video which has the fix for the Chrome browser https://www.youtube.com/watch?v=2mrwGTF_6RQ Link to post Share on other sites More sharing options...
Dammit01 Posted September 13, 2019 Author ID:1334707 Share Posted September 13, 2019 Good afternoon, I deleted chrome off from my system. The only browser that I have available now is IE11. When I go to the link to re-install chrome I get a "Database Exception" error. Can't download chrome. Mike Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 13, 2019 ID:1334723 Share Posted September 13, 2019 Sorry to hear all that. Let's do what follows and get a report from the machine. Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Attach Result.txt with your next reply. Link to post Share on other sites More sharing options...
Dammit01 Posted September 13, 2019 Author ID:1334729 Share Posted September 13, 2019 Thanks for not giving up yet. Attached are the results. Mike MTB.txt Link to post Share on other sites More sharing options...
Recommended Posts