Help with malware

[colore]

Hello,

I installed JDownloader2 from here <a href="http://jdownloader.org/dl?v=101"></a>

It now hijacked my Firefox and when I search in google, it displays fake results.

How can I get rid of that please?

Also, why is it so hard to download RogueKiller? The download pogress bar doesn't move!

thanks!

[Curson]

Hi colore,

Welcome to Adlice.com Forum.
Is JavaScript disabled in your browser ? It's required to download RogueKiller.

Please follow this process : Restore Browser Settings
Is your search engine still hijacked ?

Regards.

[colore]

Hi colore,

Welcome to Adlice.com Forum.
Is JavaScript disabled in your browser ? It's required to download RogueKiller.

Please follow this process : Restore Browser Settings
Is your search engine still hijacked ?

Regards.

I think I did a mistake and installed the toolbars the installer offers at the begimning for this software JDownloader2:
http://jdownloader.org/download/index

I restored my search engine manually, but I still get the fake google results.
I have tried everything RogueKiller, Zemana, MalwareBytes, AdwCleaner, JRT, with no luck.
Isn't there a way to clean my system completely?

[Curson]

Hi colore,

Yes, JDownloader2 itself seems clean but the installer bundles some adware.
Could you please attach RogueKiller full scan report with your next reply ?

Regards.

[colore]

please find attached

[Curson]

Hi colore,

Please select the following lines for deletion :

Code: [Select]

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E6D6FDBA-AE21-43EA-975E-852C28AE9D1C} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Admin\AppData\Local\Temp\nsz2DAF.tmp\Installer-76115949.exe|Name=proinstaller1729869499| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4C6B7A38-9BDB-435E-9E03-1692A83FE04B} : v2.22|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Admin\AppData\Local\Temp\nsz2DAF.tmp\Installer-76115949.exe|Name=proinstaller1729869499| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4C8042C7-47CB-4C61-9430-BB9B1A390418} : v2.22|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\Admin\AppData\Local\Temp\HouseCall\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found
[PUP.HackTool][Folder] C:\Program Files\KMSpico -> Found
[PUP.Gen2][Firefox:Addon] n85uxq6x.default-1490363411231 : HackTheWeb [hacktheweb@instantfox.com] -> Found
[PUP.Gen0][Chrome:Addon] Default : Bing Search Engine [bmkckgpgekmanipelfidlhmkfcjicion] -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.selectedEngine", "Search Provided by Bing"); -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.defaultenginename", "Search Provided by Bing"); -> Found
If the redirections are still present, please follow the following process :
Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
  

Regards.

[colore]

Please find the requested logs attached.
thanks

[Curson]

Hi colore,

Could you please confirm that the redirection are still occuring and are only present when browsing with Firefox ?
Are you the one who installed / downloaded various keyloggers ?

Regards.

[colore]

Hi colore,

Could you please confirm that the redirection are still occuring and are only present when browsing with Firefox ?
Are you the one who installed / downloaded various keyloggers ?

Regards.

Yes, redirection still occurs and it's only present in Firefox.
I am the one who installed keyloggers but none of them caused any issue.

[Curson]

Hi colore,

Please update RogueKiller to latest version, redo a scan a check the following lines for deletion :

Code: [Select]

[PUP.Gen0][Chrome:Addon] Default : Bing Search Engine [bmkckgpgekmanipelfidlhmkfcjicion] -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.selectedEngine", "Search Provided by Bing"); -> Found
[PUM.SearchEngine][Firefox:Config] n85uxq6x.default-1490363411231 : user_pref("browser.search.defaultenginename", "Search Provided by Bing"); -> FoundAre the redirections still present ?

Regards.

[colore]

I still get the fake google links.
Please find attached the report.

[Curson]

Hi colore,

Could you please try the following process : Refresh Firefox ?
Please note that you will have to reinstall all your extensions after.

Regards.