Jump to content

Another Browser Hijack - affects Chrome/IE - Malwarebytes can't see it


Go to solution Solved by kevinf80,

Recommended Posts

Got infected again ;(

Not entirely sure how. But it seems to be a similar Browser Hijack as I've seen before.

Zemana can see it and kill it - but it reappears after reboot.

MalwareBytes can't even see it (I tried rebooting and scanning with Malwarebytes PRIOR to removing with Zemana just to be sure)

All files attached as per requirements.

FWIW this is what Zemana says:

"MD5           : 
Status        : Scanned
Object        : software\microsoft\windows\currentversion\internet settings\connections
Publisher     : 
Size          : 0
Detection     : MaliciousSetting f
Action        : Delete"

Addition.txt FRST.txt malwarebytes.txt

Link to post
Share on other sites

Hello again Nick,

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Attach that log to your. Also FRST will have created a zip file on your Desktop, please attach that to your reply...

Next,

Run another scan with Zemana and post that log...

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

No dice on the first attempt out of the gate.

Zemana still finds it after reboot.

No clues in what it says however - it's just:

MD5           : 
Status        : Scanned
Object        : software\microsoft\windows\currentversion\internet settings\connections
Publisher     : 
Size          : 0
Detection     : MaliciousSetting f
Action        : Delete

 

As for Fixlog.txt and the zipfile they are attached.

01.12.2020_01.14.02.zip Fixlog.txt

Link to post
Share on other sites

Hiya Nick,

Continue with the following:

Open an elevated command promt,

Type or copypaste the following commands and press Enter on each line:

RD /S /Q "%WinDir%\System32\GroupPolicyUsers"

RD /S /Q "%WinDir%\System32\GroupPolicy"

gpupdate /force

Exit.

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hiya Nick,

Try the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

fixlist.txt

Link to post
Share on other sites

Fixlog.txt

No changes - still there after reboot.

Here is the fixlog.txt - btw - everytime I reboot - I run Zemana to remove the Hijack.

Which means that your fixlist was processed with the Hijack removed.

Would you prefer that I process the fixlist with the Hijack present (I assume it shouldn't matter) but just checking.

 

Link to post
Share on other sites

Do not run Zemana after your next boot, then continue with the following:

Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.
Link to post
Share on other sites

Hiya Nick,

Now, let's re-run RogueKiller and remove all the items it found.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, make sure every item listed is checkmarked.
  • Then click the Removal button and wait until the removal process is complete.
  • When complete, click on Results.
  • Click Report.
  • Click Export and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Next,

Run Zemana, also post a screen shot of that report...

Thank you,

Kevin..
Link to post
Share on other sites

ok same as before.

Attached is RKLOG (again) - followed by FRST and addition.

And also the Zemana output is:

 

MD5           : 
Status        : Scanned
Object        : software\microsoft\windows\currentversion\internet settings\connections
Publisher     : 
Size          : 0
Detection     : MaliciousSetting f
Action        : Delete
 

 

Addition.txt FRST.txt rklog2.txt

Link to post
Share on other sites

Hiya Nick,

Do not run Zemana, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

http://i.imgur.com/ZN3USrZ.pngEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    http://i.imgur.com/dQVDkTW.png[/img]
  • Leave everything as it is, then click Extract. This maybe listed as Install This will unpack or install Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction or installation is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    http://i.imgur.com/qwL1Upn.png
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    http://i.imgur.com/yEgPemv.png
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    http://i.imgur.com/RUeRoi4.png
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    http://i.imgur.com/P7FSALs.png
     
  • Please Copy and Paste the contents of the scan log in your next reply.


Thank you,

Kevin...

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

Try the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

 

fixlist.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

 

 

Fixlist.txt

Edited by kevinf80
error with fix list...
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.