|
Post by glorywriter on Jul 30, 2014 13:22:04 GMT -8
I followed the directions, clicking wifi as it was my only option. I don't know how to do it for ethernet. I understand it may not take effect until I restart the internet and/or windows, but I wasn't sure if you wanted me to reboot yet, so I'm awaiting further instructions. Thank you very much.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 30, 2014 15:30:58 GMT -8
did the system have the DNS settings of (which showed in the FRST and OTL log early on by the way) Which I had you look for and remove in the previous instructions with pictures Quads
|
|
|
Post by glorywriter on Jul 30, 2014 17:22:46 GMT -8
It did have numbers in the two boxes at the bottom, which I cleared before I clicked on ok. I don't know what the numbers were though. I did set both to "obtain address automatically" as directed.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 30, 2014 17:44:22 GMT -8
Hopefully we won't have to reset the Router also.
hmmmmmm thinking, The next tool they use I have only used on my system not for systems via the internet. Though I am thinking that systemlook with OTL should be able to do the same thing (I hope).
For info purposes FRST log entries
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 192.168.8.1 <== Good is the Router Tcpip\..\Interfaces\{2B0FB12A-9268-4151-813B-7B268093A704}: [NameServer]208.69.150.250,208.69.150.252 <==== Legit but is seen in systems with the same problem Tcpip\..\Interfaces\{345CAFEC-EAB3-4951-8DF0-70C421F10D68}: [NameServer]208.69.150.250,208.69.150.252 <==== Legit but is seen in systems with the same problem Tcpip\..\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}: [NameServer]208.69.150.250,208.69.150.252 <==== Legit but is seen in systems with the same problem Tcpip\..\Interfaces\{8861F49D-C00A-4992-BB3A-0756E4630E71}: [NameServer]208.69.150.250,208.69.150.252 <==== Legit but is seen in systems with the same problem
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 30, 2014 20:18:14 GMT -8
Please download SystemLook from the link below and save it to your Desktop. jpshortstuff.247fixes.com/SystemLook.html the 64 bit version Disable Norton for say 30 mins or more Start Systemlook Copy the content of the following below inside the codebox into the main textfield: (don't forget the : in front of :filefind) :filefind yahoo
:folderfind yahoo
:regfind yahoo Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply (attach to message). Note: The log can also be found on your Desktop entitled SystemLook.txt Quads
|
|
|
Post by glorywriter on Jul 31, 2014 6:08:47 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 31, 2014 11:09:02 GMT -8
I see domains with Yahoo Scan with ZoekPlease download ZOEK by Smeenk hijackthis.nl/smeenk/index.html and save it to your desktop (preferred version is the *.exe one) Temporary disable your AntiVirusRight-click on icon and select Run as Administrator to start the tool. Wait patiently until the main console will appear, it may take a minute or two or 3....... In the main box please paste in the following script:createsrpoint; Yahoo;a Yahoo;z Make sure that Scan All Users option is checked.
Push Run Script and wait patiently. The scan may take a couple of minutes. When the scan completes, a zoek-results logfile should open in notepad. If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ zoek-results.log) Quads
|
|
|
Post by glorywriter on Jul 31, 2014 12:50:14 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 31, 2014 14:44:49 GMT -8
2 files one being this C:\Users\Cynthia\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\7UKOQT3E\us.yhs4.search.yahoo[1].xml
with some registry keys, that I have to look up.
Here is one poor guy also (for reading
"Yesterday. I noticed a few programs that were running in the background that I didn't recognize. Homepage automatically went to vi-view.com which is not my homepage. Chrome omnibox went to Yahoo search instead of using Google search as it used to.
Current issues and symptoms: Basically all that's left is redirect to Yahoo instead of Google search, which I can't seem to fix.
Steps taken in order to remove the infection: Uninstalled all unrecognized programs except one called Search Protect because it wasn't registered in Programs and Features. Uninstalled Chrome. Used Adwcleaner.exe in safe mode which removed Search Protect and fixed my homepage. Used Malwarebytes Anti-Malware, which detected threats that were removed. Used Anvi Smart Defender which removed suspicious extensions from Chrome that were redirecting omnibox to Yahoo. Used CCleaner to delete temp files.
At this point, everything was more or less fixed UNTIL I reinstalled Chrome and ended up syncing old extensions that were saved on Google server, causing Yahoo redirect to return. I've deleted all saved settings and extensions from Google server so it won't sync next time, but now omnibox won't stop redirecting to Yahoo. I've tried resetting Chrome settings and reinstalling Chrome. AdwCleaner, Malwarebytes and Anvi Smart Defender scans all come out clean at this point, and I don't know what else to do.
haha sound familar.
Quads
|
|
|
Post by glorywriter on Aug 1, 2014 8:45:27 GMT -8
Argh! Sounds terribly familiar!!
|
|