|
Post by bat7man on May 1, 2016 14:08:49 GMT -8
Hi, I would like to ask for some help on malware. My system is a Windows 7 running Norton Internet Security. This machine has one administrative user and four limited users, on the limited users I am seeing browser redirection to several different sites no matter if I am running Firefox or Chrome. I performed a Norton scan and no threat is reported, I also tried Norton Power Erase and no threat is also reported. Some of those redirections take place when I click on a google search result, when this happens a Norton window opens reporting a Malvertisement Website Redirect 9, when I click on details I can see the attacker URL: tmserver-2.net/async.html?<parameters_omitted>. I tried to reset browsers from all the accounts, but after some time I see the same symptons back. I followed the steps available on 2nd - I think I am Infected. What do I do? topic and uploaded the scan results: wikisend.com/download/752464/FRSTwikisend.com/download/566284/Addition.txtThanks.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 1, 2016 20:07:53 GMT -8
FIRST >>>>Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. SECOND >>>>Junkware Removal ToolPlease download JRT from here to your desktop. Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.Double click the JRT.exe file to run the application. The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed). When it is asked, press any key to allow the program to continue / run. This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post. Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.LAST >>>>AdwCleaner by XplodeDownload AdwCleaner from here or from here. Save the file to the desktop. NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete. Close all open windows and browsers.[/b][/font] Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner. You will see the following console: Click the Scan button and wait for the scan to finish. After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.Click the Clean button. Everything checked will be deleted. When the program has finished cleaning a report appears. Once done it will ask to reboot, allow this On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt[/ul] Optional: NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.
|
|
|
Post by bat7man on May 3, 2016 4:25:57 GMT -8
Hi,
Thanks for the steps. I was able to run the fix, it asked me to reboot the machine, here we have the log generated:
After that I deactivated Norton Auto-Protect and ran JRT, it seems to got frozen, it ran for 11 hours and no log file was generated, so I killed the process, in its windows it stopped at Shortcuts step, see its output below:
I stopped here, I did not try to run it again nor tried the AdwCleaner.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 3, 2016 23:15:04 GMT -8
Unfortunate about JRT. Please download and run AdwCleaner then post its' log. Thanks.
Oh, how is the system running now?
|
|
|
Post by bat7man on May 4, 2016 17:37:53 GMT -8
Hi,
Thanks, I ran AdwCleaner, here follows its log:
Now, I was not able to reproduce the symptom from google searches, but when I try to navigate to some sites I am still seeing the Malvertisement Website Redirect 9 alert from Norton, and a window is opened to undesired sites.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 4, 2016 18:34:16 GMT -8
Let's move on to a more general scanner then .... Malwarebytes' Anti-MalwarePlease download the latest version of Malwarebytes' Anti-Malware from Here. Download the free version so it will not interfere with Norton. The free version cleans just as well as the paid version but only has manual scanning. Double Click on the mbam-setup.exe file to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link Once updated, please select Settings > Detection and Protection. Please ensure that "Scan for Rootkits" is selected along with Non-Malware Protection PUP and PUM are set to "Treat detections as malware" Once the program has loaded, updated and the Settings are correct, select " Scan Now >>" to start the scan (from the Main Screen). The scan may take some time to finish, so please be patient. If any malware is found, you will be presented with a screen like the one below. If any malware is found, make sure that everything is checked, and click Remove Selected. When the scan is complete, click View detailed log >> to view the results. The report screen will open. At the bottom click on Export and select as txt file, save the file to your desktop and click OK. When the export is complete, select OPEN. The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.
|
|
|
Post by bat7man on May 8, 2016 1:22:57 GMT -8
Hi,
I performed the Malwarebytes Scan, here we have the log:
I don't know why the quarantined items were not logged but I copied the info from one of their panels:
I am still seeing redirections from the browsers. Another fact that I can bring here is that after installing Malwarebytes application I see a lot of pop-up windows telling me that a malicious site access was blocked, it happens lots of time and the IP from the site blocked is always the same, see a sample here:
Thanks.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 8, 2016 20:42:15 GMT -8
This next step may take a while (just to warn you) ..... ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier. You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control key and click on the following link to open ESET OnlineScan in a new window. Link =>> ESET Online Scanner << Click the Run ESET Online Scanner located on the left side of the page (not the free trial). For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step) Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop. Double click on the icon on your desktop. Check (accept) the Terms of Use. Click the START button. Accept any security warnings from your browser. Now in the Computer scan settings window that appears:- Make sure that the option Enable detection of potentially unwanted applications is selected. Now click on Advanced Settings and configure the options as follows: Remove found threats is Not checkedScan archives is checkedScan for potentially unsafe applications is checkedEnable Anti-Stealth Technology is checkedNow click on: StartESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats. At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry). Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish. Attach the saved log file in your next reply please. Thanks.
|
|
|
Post by bat7man on May 15, 2016 15:36:53 GMT -8
Hi,
Here are the results:
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 15, 2016 21:52:01 GMT -8
FIRST >>>>Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed): Wisdom-soft ScreenHunter 6.0 FreeTo do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software. SECOND >>>>Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
|
|