Adlice forum
General Category => Malware removal help => Topic started by: colore on April 24, 2018, 02:17:00 AM
-
Hello,
I installed JDownloader2 from here <a href="http://jdownloader.org/dl?v=101"></a>
It now hijacked my Firefox and when I search in google, it displays fake results.
How can I get rid of that please?
Also, why is it so hard to download RogueKiller? The download pogress bar doesn't move!
thanks!
-
Hi colore,
Welcome to Adlice.com Forum.
Is JavaScript disabled in your browser ? It's required to download RogueKiller.
Please follow this process : Restore Browser Settings (https://www.malwarebytes.com/restorebrowser/index.html#fix-start-pages-firefox)
Is your search engine still hijacked ?
Regards.
-
Hi colore,
Welcome to Adlice.com Forum.
Is JavaScript disabled in your browser ? It's required to download RogueKiller.
Please follow this process : Restore Browser Settings (https://www.malwarebytes.com/restorebrowser/index.html#fix-start-pages-firefox)
Is your search engine still hijacked ?
Regards.
I think I did a mistake and installed the toolbars the installer offers at the begimning for this software JDownloader2:
http://jdownloader.org/download/index
I restored my search engine manually, but I still get the fake google results.
I have tried everything RogueKiller, Zemana, MalwareBytes, AdwCleaner, JRT, with no luck.
Isn't there a way to clean my system completely? :(
-
Hi colore,
Yes, JDownloader2 itself seems clean but the installer bundles some adware.
Could you please attach RogueKiller full scan report with your next reply ?
Regards.
-
please find attached
-
Hi colore,
Please select the following lines for deletion :
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6D6FDBA-AE21-43EA-975E-852C28AE9D1C} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Admin\AppData\Local\Temp\nsz2DAF.tmp\Installer-76115949.exe|Name=proinstaller1729869499| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4C6B7A38-9BDB-435E-9E03-1692A83FE04B} : v2.22|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Admin\AppData\Local\Temp\nsz2DAF.tmp\Installer-76115949.exe|Name=proinstaller1729869499| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4C8042C7-47CB-4C61-9430-BB9B1A390418} : v2.22|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\Admin\AppData\Local\Temp\HouseCall\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found
[PUP.HackTool][Folder] C:\Program Files\KMSpico -> Found
[PUP.Gen2][Firefox:Addon] n85uxq6x.default-1490363411231 : HackTheWeb [hacktheweb@instantfox.com] -> Found
[PUP.Gen0][Chrome:Addon] Default : Bing Search Engine [bmkckgpgekmanipelfidlhmkfcjicion] -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.selectedEngine", "Search Provided by Bing"); -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.defaultenginename", "Search Provided by Bing"); -> Found
If the redirections are still present, please follow the following process :
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
Please find the requested logs attached.
thanks
-
Hi colore,
Could you please confirm that the redirection are still occuring and are only present when browsing with Firefox ?
Are you the one who installed / downloaded various keyloggers ?
Regards.
-
Hi colore,
Could you please confirm that the redirection are still occuring and are only present when browsing with Firefox ?
Are you the one who installed / downloaded various keyloggers ?
Regards.
Yes, redirection still occurs and it's only present in Firefox.
I am the one who installed keyloggers but none of them caused any issue.
-
Hi colore,
Please update RogueKiller to latest version, redo a scan a check the following lines for deletion :
[PUP.Gen0][Chrome:Addon] Default : Bing Search Engine [bmkckgpgekmanipelfidlhmkfcjicion] -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.selectedEngine", "Search Provided by Bing"); -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.defaultenginename", "Search Provided by Bing"); -> FoundAre the redirections still present ?
Regards.
-
I still get the fake google links.
Please find attached the report.
-
Hi colore,
Could you please try the following process : Refresh Firefox (https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings) ?
Please note that you will have to reinstall all your extensions after.
Regards.