Author Topic: Browser Hijacker I can't get rid of  (Read 19525 times)

0 Members and 2 Guests are viewing this topic.

January 28, 2017, 02:31:11 AM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Browser Hijacker I can't get rid of
« on: January 28, 2017, 02:31:11 AM »
Is there any way to get RogueKiller to scan external drives?  I believe I have a redirect/hijack virus on an external drive but nothing can find it, started out with a mellowsurvey ad in Chrome & it comes up in Firefox too now.  I have reinstalled Windows 7 prof, and it came back; then I reformatted then reinstalled Windows 7 prof and it came back again, but it didn't come back until I hooked up my external drives.  The only malware program that could find anything on my computer was RogueKiller, so I bought it.  But now it says my computer is clean, but I'm still getting redirects, and they are getting more obnoxious.  I need the photos off those 2 drives, and don't know how to do that without copying the virus also.  Thoughts?  Suggestions please? 

Reply #1January 29, 2017, 02:46:00 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #1 on: January 29, 2017, 02:46:00 PM »
Hi lkbart,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller report with your next reply ?

Regards.

Reply #2January 29, 2017, 07:02:40 PM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #2 on: January 29, 2017, 07:02:40 PM »
This is the last scan that found anything (well, except the one that found & killed zemana). 

RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Calypso [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/26/2017 00:51:48 (Duration : 00:15:17)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] 445a0fa862053eabad731431ee9710de
[BSP] 279c2ca4427da3d2b1ef6b539245d5f4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 EVO 500GB ATA Device +++++
--- User ---
[MBR] 73b4e66ae4fc15e17f09ace7cd96c9e9
[BSP] 75fd2afd17331e5cf04f48804a9e0dbf : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TEAC USB   HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: TEAC USB   HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: TEAC USB   HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: TEAC USB   HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: LaCie P9230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive7: Seagate Backup+ Desk USB Device +++++
--- User ---
[MBR] ec3c24db9a445467986b831406c66357
[BSP] 0abffb185016e72bdad2b091f91bef0b : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )



This scan was the first one I ran that found anything:
RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Calypso [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/24/2017 21:05:01 (Duration : 00:18:24)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 12 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.Gen1][Folder] C:\Users\Calypso\AppData\Local\PackageAware -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] 445a0fa862053eabad731431ee9710de
[BSP] 279c2ca4427da3d2b1ef6b539245d5f4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 EVO 500GB ATA Device +++++
--- User ---
[MBR] 73b4e66ae4fc15e17f09ace7cd96c9e9
[BSP] 75fd2afd17331e5cf04f48804a9e0dbf : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TEAC USB   HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: TEAC USB   HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: TEAC USB   HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: TEAC USB   HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: LaCie P9230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive7: Seagate Backup+ Desk USB Device +++++
--- User ---
[MBR] ec3c24db9a445467986b831406c66357
[BSP] 0abffb185016e72bdad2b091f91bef0b : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )




Reply #3January 29, 2017, 07:31:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #3 on: January 29, 2017, 07:31:07 PM »
Hi lkbart,

Make sure to plug all your possibly infected external drives.
Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Reply #4January 29, 2017, 08:02:25 PM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #4 on: January 29, 2017, 08:02:25 PM »
I've attached the FRST and the Addition files.

Reply #5January 29, 2017, 08:03:02 PM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #5 on: January 29, 2017, 08:03:02 PM »
Apparently only the Addition file attached - here is the FRST

Reply #6January 29, 2017, 08:38:55 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #6 on: January 29, 2017, 08:38:55 PM »
Hi lkbart,

I don't see anything malicious on the reports.
Are you experiencing browsers hijacking behaviours at this time ?

Regards.

Reply #7January 29, 2017, 09:18:30 PM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #7 on: January 29, 2017, 09:18:30 PM »
At this point in time, no, I'm not.  I have not reinstalled Chrome - that's where the attacks began, but continued in Firefox.  We have put a site block in the router on mellowsurvey and engine.spotcenered.info, and got a blocked site pop-up (wanting the password to the router - ha!). Then a while later the browser tab I was reading got hijacked to the below screenshot - and I unplugged the machine.  I ran Roguekiller right after that & it didn't find anything.  So I'm not comfortable that it's completely gone.   

Reply #8January 29, 2017, 10:18:41 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #8 on: January 29, 2017, 10:18:41 PM »
H lkbart,

Since no infection is detected, there is little I can do.
What I suggest is to wait if it appears again.

Regards.

Reply #9January 30, 2017, 12:33:40 AM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #9 on: January 30, 2017, 12:33:40 AM »
Thanks for checking for me.  I will let you know if it hits me again. 

Reply #10January 30, 2017, 07:00:00 AM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #10 on: January 30, 2017, 07:00:00 AM »
Happened again.  Attached the Roguekiller scan, & the FRST  & Addition scans.  And a screenshot of the hijack.

Reply #11January 30, 2017, 07:41:54 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #11 on: January 30, 2017, 07:41:54 PM »
Hi lkbart,

The reports are clean again.
Does this only happen with Firefox ?

Regards.

Reply #12January 30, 2017, 07:51:56 PM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #12 on: January 30, 2017, 07:51:56 PM »
It started on Chrome, but I uninstalled it along with all the personal data, and then reinstalled Chrome and the virus came back, so I uninstalled it again and have not reinstalled after I formatted and reinstalled Windows 7 prof.  Been using Firefox since then. 

Reply #13January 30, 2017, 09:06:10 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #13 on: January 30, 2017, 09:06:10 PM »
Hi lkbart,

That's really strange.
Could you please give Malwarebytes Adwcleaner a try ?

Regards.

Reply #14January 30, 2017, 10:09:34 PM

lkbart

  • Newbie

  • Offline
  • *

  • 16
  • Reputation:
    0
    • View Profile
Re: Browser Hijacker I can't get rid of
« Reply #14 on: January 30, 2017, 10:09:34 PM »
Downloaded, ran, didn't find anything.  Attached the log file.  This is crazy.