Jump to content

Infected by Hijack.AutoConfigURL?


Recommended Posts

Hi, Simon.    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let's begin by getting the report below.  I will also be guiding you ( later) to getting the latest Malwarebytes for Windows version 4.1

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.4.760.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,

Sincerely.

 

Link to post
Share on other sites

Hi Simon.   Thank you very much for the zip file report.  What follows is just a first step;  intended to quash the "proxy" issue.  There will be more for later.

I hope to guide you to upgrading the Malwarebytes to the latest 4.1 version & also doing a new Scan with it.

The pc currently has the older version 3.8.3

And it looks as if the "Qweb" "converter" was removed.

And for very last, I would like to see that this Windows be updated to the latest Microsoft build release, which is Build 1909.

 

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for  Simon79    only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.620fa788bdced9e125fd7d7980201baa.png

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

There will be more to do after this.   Thanks for your patience.

 

Fixlist.txt

Link to post
Share on other sites

Hello Simon.

Thanks for the report.   Bravo.  The custom fix run is good.  I expect that the "proxy" value issue is now no more.  That is to say, it should be the normal default value.

Now then, sine this pc has the older version 3.8.3  of Malwarebytes,  we need to get it upgraded or cleanly installed to version 4.1

For that purpose, we will use the Malwarebytes Support tool, which is already on this machine.   This is a first step.

Let's perform a clean re-installation of the latest Malwarebytes for Windows version using our Malwarebytes Support Tool. This is designed to automate the clean uninstallation of our products, along with installation and activation of Malwarebytes for Windows Premium (if applicable).

Malwarebytes Support Tool (MBST) Clean Reinstall

  • Open your Downloads folder.

   Right-click   mb-support-1.5.4.760  & select Run as administrator    to start the tool   & reply YES to allow to go forward.

 

  • When prompted by Windows, reply YES to allow the tool to go forward.
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!".
  •  
  • Click the Advanced Options link. This is important. Please ensure Advanced Options is clicked.
  • Click the Clean button followed by Yes to proceed.
  • Upon completion, click OK to reboot your computer.
  •  
  • After the reboot, please wait for the program to reopen.   Have lots of patience.  It may take several minutes for it to re-appear for the 2nd phase.
  • You will be presented with the option to install Malwarebytes for Windows. Click Yes.
  •  
  • Installation of Malwarebytes for Windows will commence shortly after.
  • Upon completion, Malwarebytes for Windows will automatically open.
  •  If installation of Malwarebytes for Windows does not commence, please let me know.

 

Then, when all is done, please lets do one final Windows Restart.

[   2   ]

 See to it that Malwarebytes for Windows is not registered with the Windows 10  Windows Security Center.

This is due to the pc having BitDefender as the resident amtivirus.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with WindowsSecurityCenter Click theSecurity Tab. Scroll d.own to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

[   3   ]

In Malwarebytes, look at the top & click on the Settings  ( gear ) icon.

Please do a new Scan on this machine, using Malwarebytes for Windows.

To run a Threat Scan,  click the blue Scan button.

Have patience during the run.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

When done, close the window.

 

There is an online User Guide for Malwarebytes 4.   Bookmark this link

https://support.malwarebytes.com/hc/en-us/articles/360038984693-Malwarebytes-for-Windows-guide-v4

 

If you encounter any issues during the running of the tool, please let me know.

Please keep me advised after all this. Thank you.

 

Link to post
Share on other sites

Hi Simon.

That is great.  Bravo to you.   😎

The scan result is perfect.  And the Malwarebytes Premium is   at the latest version - -   Version: 4.1.0.56
Komponentenversion   (Component package) : 1.0.859

.

I have some other suggestions for you, as follow-ups.

[   1   ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs


[    2   ]

Next, a report utility to check on the update-status of some key utilities.  It is just a report.

Please download Security Analysis by Rocket Grannie from here

  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Right- click RGSA.exe   & select run as Administrator & reply Yes to proceed
  •  
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please attach SALog.txtwith your reply.

Note: If you get a Warning from Windows SmartScreen about running the program, click on More info 

and then click Run Anyway to run it anyway.  This is only just a report.

Thanks.  Keep me advised.     😃

Link to post
Share on other sites

Hi Maurice,

great, here are the additional logs.

Bitdefender and Malwarebytes do not find any threats anymore. But Bitdefender gives me a warning that he blocked a infected Website which is called by svchost.exe.

"http://quick-access-web.com/wpad.dat?acba7dc7827e572ae68b7d383f9c041e36932927 Aufgerufen durch: svchost.exe Name der Bedrohung: Trojan.GenericKDZ.65168"

What could that be?

It seems to happen at every single start of the Computer.

Thank you.

Simon

AdwCleaner[S00].txt SALog.txt

Link to post
Share on other sites

Thanks for the reports.   The SA (Security Analysis by Rocket Grannie ) report is all good.

When BitDefender shows that message,  which of the web browsers is open ?

and another question:  Do you only ever use the Edge browser ?

& I see some traces of Google Chrome

& I cant figure out if this rig has Mozilla Firefox fully installed.   and yet, the FRST tells me that it has Firefox.

 

Lets beef up all your web browsers.

[   1   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[     2    ]

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[   3   ]

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

 

[   4   ]

Let’s  please try to get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

Link to post
Share on other sites

Thanks for the Autoruns report.

I noticed there are 2 different VPN modules running:  1 from BitDefender & 1 from Openvpn.   Since the pc has BitDefender antivirus, it seems to me you want to uninstall OpenVPN by Sophos.   It is listed as install in Windows as "Sophos SSL VPN Client 2.1".   Uninstall the Sophos please.

 

There is remains of Avira antivirus.  For this,  you will need to get and run a special removal tool.

  1. Download and  save  this  special removal tool from here
  2. After it is saved, Run the tool
  3. Select The uninstallation will be executed. 
  4. Select Avira and/or Launcher.
  5. Confirm the uninstallation.
  6. Restart your computer once the tool has been executed. 

 

[    2   ]

Please delete the previous file I had you save named Fixlist.txt

 

This custom script is for  Simon79    only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.620fa788bdced9e125fd7d7980201baa.png

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

[   3   ]

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).

 

 

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Start Scan.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.


Thank you.

 

Fixlist.txt

Edited by Maurice Naggar
Link to post
Share on other sites

The answer to your question is yes.  Matter of fact, the FRST report shows that elements  ( parts)  of Chrome & Firefox are there.

Has this machine always been yours alone?

 

Thanks for the reports.  The Fix run went as designed.

The registry line listed is inert.  This seems like a over-reach by the Roguekiller tool.   Though the line can be removed.

The version of Roguekiller_portable you have should be version 14.3.0.0

This next step is to do a new run with Roguekiller.   Please read all of this first.  And if you have questions, ask me first.

 

Please disconnect any USB or external drives from the computer before you run this scan!

Find where you saved the Roguekiller_portable64.exe

Do a Right-click with your mouse on it and select Run as Administrator.

If prompted by Windows, reply Yes to have it proceed.

From the left-side list of options , click the Scan icon.

Next, look on the left-side pane “Advanced Scan”   & then click the Scan button.

The advanced scan should take something like under 30 minutes to run.

 

After the scan finished,    then click the Results button.

You can inspect and choose the elements to remove in the results tab.
Select or deselect the items to your needs, and hit the “Removal” button to start removal.

I would suggest if you know directly and positively that a line is known to you & safe, to Un-tick the line.

Otherwise, have the app remove all that it has found.

Click the Removal button.

 

After a removal, only selected items are displayed and their status is updated with what the engine did with them.

image.png.4338c29c40aa41aacd192f505acbe931.png

 

The Removal report is  made available with the “Report” button.

Please use the Report function.  Save a copy of it and attach with your next reply.

When done, click the Finish button and exit the tool.

After that, kindly let me know the overall status.

 

Edited by Maurice Naggar
Link to post
Share on other sites

Added note regarding quick-access-web

Please try to determine what "free" programs you downloaded from the web & installed in the past 3 weeks or so.

and also see if any programs named like the following are installed

Browsers_Apps_Pro
CheckMeUp
Cinema Plus
CloudScout Parental Control
Desktop Temperature Monitor
DNS Unlocker
HD-V2.2
HostSecurePlugin
MediaVideosPlayers
Network System Driver
New Player
Pic Enhance
Price Minus
PriceLEess

SalesPlus
Salus
Save Daily Deals
Savefier
Savepass
Sm23mS
SS8
Wajam
Web-fast-access
Word Proser

Link to post
Share on other sites

Hi Maurice,

here comes the report. The only item RogueKiller has found was again the HKEY...I have deleted it.

The computer was mine from the 1st day. I can remember, that I have had Firefox and Chrome for some days, but unistalled them.

I have checked the computer but there is none of the listed programs on it, or I can not find them. I looked in Settings-->Apps and Features.

I am pretty sure that I did not have installed any freeware programs in the last weeks. Last program I have installed is ZWIFT. It is a program, where I can connect my bike-Hometrainer.

Biitdefender again blocked the connection from svchost.exe to "quick-access-web.com/wpad.dat?acba7dc7827e572ae68b7d383f9c041e36932927" (be careful it seems to be an infected website). Another connection was blocked from Microsoft Edge to markets.books.microsoft.com because the used certificate is for another target-address.

Thanks,

Simon

200328-Roguekiller_Report_2.txt

Link to post
Share on other sites

Thanks for the report from Rogukiller_portbale.  The item was tagged as a P U P type.  Potentially unwanted.

I do not believe that 1 registry entry could be any sort of actual real threat.  It by itself did not call or run or do anything.  Except only just listing OCS.

Anyhow, that thing is not the cause of the block message you have been getting from Bitdfender.

I did notice Zwift  from my earlier reviews of the reports.  I would highly recommend you Uninstall Zwift  and do do a Windows >> Restart.

Then let us see if the message from BitDefender goes away.

This issue might be perhaps a false positive from BitDefender.   I think you should be checking with BitDefender support about this issue.

 

Till now, we have run a battery of scans.   The only app that is doing any flagging is BitDefender.

IF you are not paying for BitDefender,  I would say to consider uninstalling it.  The Windows 10 comes with the Microsoft Antivirus named Windows Defender, a strong and powerful antivirus.  It is free.  It is built-in.  If you were to uninstall BitDefender, the Windows Defender will then be set as the resident antivirus.

Link to post
Share on other sites

Ok, Maurice. I will try to uninstall Zwift and if there will be further problems with bitdefender, I will try it with the support there.

So let me say thank you very much for the perfect support. I am very glad that my computer is working well now.

Again, thanks a lot 🙂

Simon

Link to post
Share on other sites

Hi, Simon.   You are very welcome.   I am happy to have helped.

I an going to list below a best practices list.  On another reply, I will list for you how to clean up on the tools we used.

If you have any other questions, just let me know.   I will be tagging the case for closure.

 

The first best practice of computer safety is to have backups of the system.  Make regular periodic backups to offline removable media.

Backup is your best friend.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

Edited by Maurice Naggar
Link to post
Share on other sites

This is to cleanup the tools & downloads that I had you use.

On the Downloads folder,  delete mb-support-1.5.4.760.exe   & Roguekiller_portable64.exe & RGSA.exe  & Fixlist.txt

Delete Roguekiller_portable64.exe

Delete mbst-grab-results.zip    &  Autoruns.exe    on  your Desktop.

The Adwcleaner you may keep.   You may run it on demand to do scans for adwares.

.

To remove the FRSTENGLISH tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.

Then run that ( double click on it)  to begin the cleanup process for FRST.

Any other file I had you download, you may delete.

 

My best wishes to you.   Your pc has the latest Malwarebytes for Windows and it is in Premium.

Cheers.

Edited by Maurice Naggar
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.