Jump to content

Infected - malware seems to affect Chrome/IE - nothing removes it fully


Recommended Posts

Posted (edited)

Hiya nickbee123,

This is more than frustrating, something hidden is resetting registry changes on reboot..

Can you check if any group policies are set...

 
  • Press the Windows key + R to open the Run box. Type or copy/paste rsop.msc and press Enter.
  • The Resultant Set of Policy tool will start scanning your system for applied group policies.
  • After scanning, the tool will show you a management console that lists out all group policies applied to your currently logged-on account.
next,
 
Run FRST one more time:

Type the following in the edit box after "Search:".

{6BFFB413-E7AB-4EB4-B5DA-94027CEBECF5}

Click Search Registry button and post the log it makes (SearchReg.txt) to your reply.
 
next,
 

Run FRST one more time:

Type the following in the edit box after "Search:".

{6BFFB413-E7AB-4EB4-B5DA-94027CEBECF5}

Click Search Files button and post the log (Search.txt) it makes to your reply...

Thanks,

Kevin.

 

Edited by kevinf80
Link to post
Share on other sites

no more of {6BFFB413-E7AB-4EB4-B5DA-94027CEBECF5} in the registry...

and the RSOP looks like the attached image.

Nothing weird in there (at least nothing "seemed" to be weird) but I'm not entirely sure what it's supposed to look like as I'd never opened it before.

 

image.thumb.png.0dbef39a52ff3c1a8855fd6098d8fc6f.png

SearchReg.txt

Link to post
Share on other sites
Open an elevated command prompt, type or copy paste the following at the prompt then hit enter:

gpresult /user nick /h c:\gpo.html /f

gpo.html will be save to the root of C:\ drive, can you zip and attach to next reply

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"
 
Thanks,
 
Link to post
Share on other sites

gpo.html was very small but I zipped it anyway - also added the TXT files.

Interestingly and very oddly - I was trying to zip it on the spot (in the root of the C drive) and it woudn't let me...Threw up this error - basically I couldn't create any files in C:\

root folder

not necessarily connected but VERY VERY weird.

Nick

very_weird_zip.jpg.db51d91f3da70fa5f051f45dd04e472e.jpg

gpo.zip Addition.txt FRST.txt

Link to post
Share on other sites

Hello Nick,

When you try to zip a file or folder in root of C:\ you should receive an alert saying it cannot be save to C:\ and offer to save on Desktop, I should have mentioned that...

Can you reboot, do not use Zemana. Run this:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Thanks,

Kevin

fixlist.txt

Link to post
Share on other sites

ok that one worked - but I thought I'd do it after zemana also since it was just a query

both are attached (since FRST deletes the fixlist batch command file after running it - I just re-downloaded it for the second go)

Interestingly the data seems identical between the two which is not what I expected

Fixlog.txt Fixlog_after_zemana.txt

Link to post
Share on other sites
Posted (edited)

Hiya Nick,

i`ve looked at your logs and checked through the registry of settings on a standard Windows 10 Pro via a VM. Not sure if this will fix this issue but lets see what happens...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Your system will reboot after the fix completes..


Thanks,

Kevin..

fixlist.txt

Edited by kevinf80
typing error
Link to post
Share on other sites

sorry for delay - just tried it. unfortunately no noticeable difference. Still the same Zemana finds it and kills it temporarily.

at some point I might just give up and reinstall windows completely...but I'm happy to keep trying for a bit if you are - because if it fixes malwarebytes or adwcleaner it might help others also

Fixlog.txt

Link to post
Share on other sites

Hiya Nick,

This recurring problem with the AutoConfigURL can be the result of none MS application settings, Malware or Admin administered group policy. We tried removal from Clean Boot, that is all none microsoft services disabled, the issue returned at Boot. That seems to discount none MS services. There is no malware or infection showing in your logs so we can discount that option. I assume this is a personal PC so a corporate or business Admin input can also be discounted.

To me this does seem more and more like some kind of Group policy is in place to keep the issue returning after removal, normally to administer a group policy a reboot is need to confirm the policy. A point of note here is that all of reasons I gave above can also be responsible for setting group policy, so any of the above could have been responsible and the GP was left inplace.

I want to try resetting Group Policy back to default, then run the registry fix again and force a reboot on completion....

Open an elevated command promt,

Type or copypaste the following commands and press Enter on each line:

RD /S /Q "%WinDir%\System32\GroupPolicyUsers"

RD /S /Q "%WinDir%\System32\GroupPolicy"

gpupdate /force

Exit.

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Thank you,

Kevin...

 

fixlist.txt

Link to post
Share on other sites

OMG. It appears to have worked.

Reboot. Scan with Zemana.

T'is clean. You've done it. No reinstall needed. Thanks for staying on top of it Kevin - I wonder if it's worth adding a "reset group policy" tickbox in Malwarebytes...

Anyways - you da man ;)

Fixlog.txt

Link to post
Share on other sites

Hiya Nicky,

Definitely a new version of the AutoConfigURL hijack. We see this hijack many times daily, usually Malwarebytes or if needed Zemana remove the hijack and reset the registry settings. Unfortunately as in your case Group Policy just loaded the hijack straight back in.

I do not think it is plausible to add reset GP option to malwarebytes, it may break more than it fixes if used blindly. I will certainly pass on to the dev team what has happened in this situation.

We`ve created several restore points along the way incase needed, obviously now we have fixed the issue all restorepoints need to be removed in our clean up...

Right click on FRST here: C:\Users\nick\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.