Browsers redirect to several sites

bat7man
New Helpee

Posts: 5

Browsers redirect to several sites May 1, 2016 14:08:49 GMT -8

Quote

Post by bat7man on May 1, 2016 14:08:49 GMT -8

Hi,

I would like to ask for some help on malware. My system is a Windows 7 running Norton Internet Security.
This machine has one administrative user and four limited users, on the limited users I am seeing browser redirection to several different sites no matter if I am running Firefox or Chrome. I performed a Norton scan and no threat is reported, I also tried Norton Power Erase and no threat is also reported.
Some of those redirections take place when I click on a google search result, when this happens a Norton window opens reporting a Malvertisement Website Redirect 9, when I click on details I can see the attacker URL: tmserver-2.net/async.html?<parameters_omitted>.

I tried to reset browsers from all the accounts, but after some time I see the same symptons back.

I followed the steps available on 2nd - I think I am Infected. What do I do? topic and uploaded the scan results:

wikisend.com/download/752464/FRST

wikisend.com/download/566284/Addition.txt

Thanks.

Last Edit: May 1, 2016 14:13:25 GMT -8 by bat7man

dbrisen
Malware Removalists

Posts: 3,688

Browsers redirect to several sites May 1, 2016 20:07:53 GMT -8

Quote

Post by dbrisen on May 1, 2016 20:07:53 GMT -8

FIRST >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1644861223-528155475-542268345-1000\...\Run: [Wisdom-soft ScreenHunter 5.1 Free] => 0
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
GroupPolicyUsers\S-1-5-21-1644861223-528155475-542268345-1004\User: Restriction <======= ATTENTION
CMD: netsh winsock reset
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
DPF: HKLM-x32 {A6616B31-4860-41E2-98E3-CA7649AF172F} file:///E:/launch.ocx
FF NetworkProxy: "type", 0
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF SearchPlugin: C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\searchplugins\safesearch.xml [2014-09-16]
C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\searchplugins\safesearch.xml
FF Extension: Tabbrowser Preferences - C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}.xpi [2016-05-01]
C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}.xpi
CHR Extension: (Google Drive) - C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-13]
CHR Extension: (Google Search) - C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-06-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-23]
S1 gbpddfac; system32\drivers\gbpddfac64.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
C:\Windows\system32\drivers\gbpddfac64.sys
C:\Program Files (x86)\Garena Plus\Room\safedrv.sys
C:\Windows\system32\DRIVERS\vmnetadapter.sys
2016-04-26 06:01 - 2014-12-01 18:58 - 00000000 __SHD C:\Users\Batman\AppData\Local\EmieBrowserModeList
2016-04-26 06:01 - 2014-12-01 18:46 - 00000000 __SHD C:\Users\Batman\AppData\LocalLow\EmieBrowserModeList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\LocalLow\EmieUserList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\LocalLow\EmieSiteList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\Local\EmieUserList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\Local\EmieSiteList
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Master\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
AlternateDataStreams: C:\Program Files (x86)\GbPlugin:IncompleteStartProcessProtection.cnt [10]
AlternateDataStreams: C:\Windows\System32:92069093_Cef.gbp [2]
AlternateDataStreams: C:\Windows\System32:92069093_Uni.gbp [2]
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

SECOND >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.

LAST >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

[/b][/font] Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt
[/ul]

Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

bat7man
New Helpee

Posts: 5

Browsers redirect to several sites May 3, 2016 4:25:57 GMT -8

Quote

Post by bat7man on May 3, 2016 4:25:57 GMT -8

Hi,

Thanks for the steps. I was able to run the fix, it asked me to reboot the machine, here we have the log generated:

Fix result of Farbar Recovery Scan Tool (x64) Version:01-05-2016
Ran by Master (2016-05-02 16:57:08) Run:1
Running from C:\Users\Master\Desktop
Loaded Profiles: Master (Available Profiles: Master & Batman & Roberta & Helo & Lais)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1644861223-528155475-542268345-1000\...\Run: [Wisdom-soft ScreenHunter 5.1 Free] => 0
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
GroupPolicyUsers\S-1-5-21-1644861223-528155475-542268345-1004\User: Restriction <======= ATTENTION
CMD: netsh winsock reset
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
DPF: HKLM-x32 {A6616B31-4860-41E2-98E3-CA7649AF172F} file:///E:/launch.ocx
FF NetworkProxy: "type", 0
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF SearchPlugin: C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\searchplugins\safesearch.xml [2014-09-16]
C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\searchplugins\safesearch.xml
FF Extension: Tabbrowser Preferences - C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}.xpi [2016-05-01]
C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}.xpi
CHR Extension: (Google Drive) - C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-13]
CHR Extension: (Google Search) - C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-06-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-23]
S1 gbpddfac; system32\drivers\gbpddfac64.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
C:\Windows\system32\drivers\gbpddfac64.sys
C:\Program Files (x86)\Garena Plus\Room\safedrv.sys
C:\Windows\system32\DRIVERS\vmnetadapter.sys
2016-04-26 06:01 - 2014-12-01 18:58 - 00000000 __SHD C:\Users\Batman\AppData\Local\EmieBrowserModeList
2016-04-26 06:01 - 2014-12-01 18:46 - 00000000 __SHD C:\Users\Batman\AppData\LocalLow\EmieBrowserModeList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\LocalLow\EmieUserList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\LocalLow\EmieSiteList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\Local\EmieUserList
2016-04-26 06:01 - 2014-04-13 21:16 - 00000000 __SHD C:\Users\Batman\AppData\Local\EmieSiteList
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Master\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
CustomCLSID: HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Batman\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll => No File
AlternateDataStreams: C:\Program Files (x86)\GbPlugin:IncompleteStartProcessProtection.cnt [10]
AlternateDataStreams: C:\Windows\System32:92069093_Cef.gbp [2]
AlternateDataStreams: C:\Windows\System32:92069093_Uni.gbp [2]
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-1644861223-528155475-542268345-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Wisdom-soft ScreenHunter 5.1 Free => value removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => key removed successfully
"HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => key removed successfully
"HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => key removed successfully
"HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => key removed successfully
"HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => key removed successfully
HKCR\Wow6432Node\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => key removed successfully
HKCR\Wow6432Node\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => key removed successfully
HKCR\Wow6432Node\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => key not found.
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1644861223-528155475-542268345-1004\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully

========= netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{A6616B31-4860-41E2-98E3-CA7649AF172F}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{A6616B31-4860-41E2-98E3-CA7649AF172F}" => key removed successfully
Firefox Proxy settings were reset.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\searchplugins\safesearch.xml => moved successfully
"C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\searchplugins\safesearch.xml" => not found.
C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}.xpi => moved successfully
C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}.xpi => path removed successfully
"C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\extensions\{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd}.xpi" => not found.
C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf => moved successfully
C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf => moved successfully
C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
gbpddfac => service removed successfully
GGSAFERDriver => service removed successfully
VMnetAdapter => service removed successfully
"C:\Windows\system32\drivers\gbpddfac64.sys" => not found.
"C:\Program Files (x86)\Garena Plus\Room\safedrv.sys" => not found.
"C:\Windows\system32\DRIVERS\vmnetadapter.sys" => not found.
C:\Users\Batman\AppData\Local\EmieBrowserModeList => moved successfully
C:\Users\Batman\AppData\LocalLow\EmieBrowserModeList => moved successfully
C:\Users\Batman\AppData\LocalLow\EmieUserList => moved successfully
C:\Users\Batman\AppData\LocalLow\EmieSiteList => moved successfully
C:\Users\Batman\AppData\Local\EmieUserList => moved successfully
C:\Users\Batman\AppData\Local\EmieSiteList => moved successfully
"HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}" => key removed successfully
HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => key not found.
HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => key not found.
HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => key not found.
HKU\S-1-5-21-1644861223-528155475-542268345-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => key not found.
C:\Program Files (x86)\GbPlugin => ":IncompleteStartProcessProtection.cnt" ADS removed successfully.
C:\Windows\System32 => ":92069093_Cef.gbp" ADS removed successfully.
C:\Windows\System32 => ":92069093_Uni.gbp" ADS removed successfully.

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= netsh advfirewall reset =========

Ok.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state on =========

Ok.

========= End of CMD: =========

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1644861223-528155475-542268345-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1644861223-528155475-542268345-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

EmptyTemp: => 653.5 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 17:00:39 ====

After that I deactivated Norton Auto-Protect and ran JRT, it seems to got frozen, it ran for 11 hours and no log file was generated, so I killed the process, in its windows it stopped at Shortcuts step, see its output below:

[ Click the [X] in the top-right corner of this window ]
[ if you wish to exit. Otherwise, ]
================================================================

Press any key to continue . . .

Creating restore point... SUCCESS
(* ) Processes
(** ) Startup - Logon
(*** ) Startup - Scheduled Tasks
(**** ) Services
(***** ) File System
(****** ) Browsers
(******* ) Shortcuts

I stopped here, I did not try to run it again nor tried the AdwCleaner.

dbrisen Malware Removalists Posts: 3,688	Browsers redirect to several sites May 3, 2016 23:15:04 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on May 3, 2016 23:15:04 GMT -8 Unfortunate about JRT. Please download and run AdwCleaner then post its' log. Thanks. Oh, how is the system running now?
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

bat7man
New Helpee

Posts: 5

Browsers redirect to several sites May 4, 2016 17:37:53 GMT -8

Quote

Post by bat7man on May 4, 2016 17:37:53 GMT -8

Hi,

Thanks, I ran AdwCleaner, here follows its log:

# AdwCleaner v5.115 - Logfile created 04/05/2016 at 22:13:02
# Updated 01/05/2016 by Xplode
# Database : 2016-05-04.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Master - BATCAVE
# Running from : C:\Users\Master\Desktop\AdwCleaner.exe
# Option : Clean
# Support : toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\PackageAware

***** [ Files ] *****

[-] File Deleted : C:\Users\Batman\AppData\Roaming\Mozilla\Firefox\Profiles\myrmblry.default\searchplugins\safesearch.xml
[-] File Deleted : C:\Users\Helo\AppData\Roaming\Mozilla\Firefox\Profiles\cijty8pm.default\searchplugins\safesearch.xml
[-] File Deleted : C:\Users\Lais\AppData\Roaming\Mozilla\Firefox\Profiles\dn7wtsoa.default\searchplugins\safesearch.xml

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7D86A08B-0A8F-4BE0-B693-F05E6947E780}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\DriverToolkit
[-] Key Deleted : HKCU\Software\powerpack
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IM

***** [ Web browsers ] *****

[-] [C:\Users\Master\AppData\Roaming\Mozilla\Firefox\Profiles\ekqq3lhg.default\prefs.js] Deleted : user_pref("lightweightThemes.usedThemes", "[{\"id\":\"16\",\"name\":\"Firefox B\",\"headerURL\":\"hxxps://addons.mozilla.org/_files/15114/newfirefoxheader.png?1229632195\",\"footerURL\":\"hxxps://addo[...]
[-] [C:\Users\Master\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : br.ask.com
[-] [C:\Users\Batman\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : br.ask.com
[-] [C:\Users\Roberta\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : br.ask.com
[-] [C:\Users\Helo\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : br.ask.com
[-] [C:\Users\Lais\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : br.ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2567 bytes] - [04/05/2016 22:13:02]
C:\AdwCleaner\AdwCleaner[S1].txt - [2700 bytes] - [04/05/2016 22:06:53]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2713 bytes] ##########

Now, I was not able to reproduce the symptom from google searches, but when I try to navigate to some sites I am still seeing the Malvertisement Website Redirect 9 alert from Norton, and a window is opened to undesired sites.

dbrisen
Malware Removalists

Posts: 3,688

Browsers redirect to several sites May 4, 2016 18:34:16 GMT -8

Quote

Post by dbrisen on May 4, 2016 18:34:16 GMT -8

Let's move on to a more general scanner then ....

Malwarebytes' Anti-Malware
Please download the latest version of Malwarebytes' Anti-Malware from Here. Download the free version so it will not interfere with Norton. The free version cleans just as well as the paid version but only has manual scanning.

Double Click on the mbam-setup.exe file to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link

Once updated, please select Settings > Detection and Protection. Please ensure that "Scan for Rootkits" is selected along with Non-Malware Protection PUP and PUM are set to "Treat detections as malware"

Once the program has loaded, updated and the Settings are correct, select "Scan Now >>" to start the scan (from the Main Screen).

The scan may take some time to finish, so please be patient.

If any malware is found, you will be presented with a screen like the one below.

If any malware is found, make sure that everything is checked, and click Remove Selected.
When the scan is complete, click View detailed log >> to view the results.
The report screen will open.
At the bottom click on Export and select as txt file, save the file to your desktop and click OK. When the export is complete, select OPEN.
The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

bat7man
New Helpee

Posts: 5

Browsers redirect to several sites May 8, 2016 1:22:57 GMT -8

Quote

Post by bat7man on May 8, 2016 1:22:57 GMT -8

Hi,

I performed the Malwarebytes Scan, here we have the log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 08/05/2016
Scan Time: 03:55
Logfile: malwarebytes_scan.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.07.05
Rootkit Database: v2016.05.06.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Master

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 634680
Time Elapsed: 56 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

I don't know why the quarantined items were not logged but I copied the info from one of their panels:

Vendor Date Type Location
PUP.Optional.Conduit 08/05/2016 File C:\Program Files (x86)\Wisdom-soft ScreenHunter 6.0 Free\Toolbar.exe
PUP.Optional.TerraClicks.ShrtCln 08/05/2016 File C:\Users\Lais\AppData\Local\Google\Chrome\User Data\Default\Preferences
PUP.Optional.TerraClicks.ShrtCln 08/05/2016 File C:\Users\Batman\AppData\Local\Google\Chrome\User Data\Default\Preferences
PUP.Optional.TerraClicks.ShrtCln 08/05/2016 File C:\Users\Helo\AppData\Local\Google\Chrome\User Data\Default\Preferences
PUP.Optional.TerraClicks.ShrtCln 08/05/2016 File C:\Users\Roberta\AppData\Local\Google\Chrome\User Data\Default\Preferences

I am still seeing redirections from the browsers. Another fact that I can bring here is that after installing Malwarebytes application I see a lot of pop-up windows telling me that a malicious site access was blocked, it happens lots of time and the IP from the site blocked is always the same, see a sample here:

Detection, 08/05/2016 00:00, SYSTEM, BATCAVE, Protection, Malicious Website Protection, IP, 94.102.60.181, 64134, Outbound, C:\Windows\System32\svchost.exe,
Detection, 08/05/2016 00:00, SYSTEM, BATCAVE, Protection, Malicious Website Protection, IP, 94.102.60.181, 55835, Outbound, C:\Windows\System32\svchost.exe,
...

Thanks.

dbrisen
Malware Removalists

Posts: 3,688

Browsers redirect to several sites May 8, 2016 20:42:15 GMT -8

Quote

Post by dbrisen on May 8, 2016 20:42:15 GMT -8

This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier.

You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).

For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.

Double click on the icon on your desktop.

Check (accept) the Terms of Use.

Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked

Now click on: Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats.

At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).

Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.

Attach the saved log file in your next reply please. Thanks.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

bat7man
New Helpee

Posts: 5

Browsers redirect to several sites May 15, 2016 15:36:53 GMT -8

Quote

Post by bat7man on May 15, 2016 15:36:53 GMT -8

Hi,

Here are the results:

C:\Bat_Family\Master\Backup\Firefox\profileFx3{default}.fbu a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Bat_Family\Software\Nero-8.2.8.0_eng_update_oficial.exe Win32/Toolbar.AskSBar potentially unwanted application
C:\Bat_Family\Software\Nero_MediaHome-4.4.26.0d.exe Win32/Toolbar.AskSBar potentially unwanted application
C:\Bat_Family\Software\Nero_Move_it-1.5.9.0e.exe Win32/Toolbar.AskSBar potentially unwanted application
C:\Bat_Family\Software\nero_photoshow_express_5_setup.exe Win32/Toolbar.AskSBar potentially unwanted application
C:\Bat_Family\Temp\setupscreenhunterfree.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\Bat_Family\Temp\setupscreenhunterfree_001.exe Win32/Toolbar.Conduit.S potentially unwanted application
C:\Bat_Family\Temp\setupscreenhunterfree_5.1.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application

dbrisen
Malware Removalists

Posts: 3,688

Browsers redirect to several sites May 15, 2016 21:52:01 GMT -8

Quote

Post by dbrisen on May 15, 2016 21:52:01 GMT -8

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Wisdom-soft ScreenHunter 6.0 Free

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
C:\Bat_Family\Temp\setupscreenhunterfree.exe
C:\Bat_Family\Temp\setupscreenhunterfree_001.exe
C:\Bat_Family\Temp\setupscreenhunterfree_5.1.exe
C:\Program Files (x86)\Wisdom-soft ScreenHunter 6.0 Free\Toolbar.exe
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

Browsers redirect to several sites

Post by bat7man on May 1, 2016 14:08:49 GMT -8

Post by dbrisen on May 1, 2016 20:07:53 GMT -8

Post by bat7man on May 3, 2016 4:25:57 GMT -8

Post by dbrisen on May 3, 2016 23:15:04 GMT -8

Post by bat7man on May 4, 2016 17:37:53 GMT -8

Post by dbrisen on May 4, 2016 18:34:16 GMT -8

Post by bat7man on May 8, 2016 1:22:57 GMT -8

Post by dbrisen on May 8, 2016 20:42:15 GMT -8

Post by bat7man on May 15, 2016 15:36:53 GMT -8

Post by dbrisen on May 15, 2016 21:52:01 GMT -8