Page 3 of 3 FirstFirst 123
Results 21 to 25 of 25

Thread: Still Highjacked

  1. #21
    Junior Member
    Join Date
    Feb 2016
    Posts
    15

    Default

    Ok, removing NowUSeeIt helped, but still getting redirected. Please see below.

    Fix result of Farbar Recovery Scan Tool (x64) Version:07-02-2016
    Ran by John (2016-02-16 10:56:17) Run:2
    Running from C:\Users\John\Desktop
    Loaded Profiles: John (Available Profiles: John & DefaultAppPool)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    SearchScopes: HKU\S-1-5-21-1569399677-2339013464-2643545198-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
    CHR HomePage: Default -> hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_nxtad_16_05&param1=1&param2=f%3D1%26b%3DChrome%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzuzy0C0ByCyDyE0FtA0FyB0D0A0EtBtCtAtN0D0Tzu0StCyEzytAtN1L2XzutAtFtCyBtFzytFtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyEzyzyzyyEyDtCyDtGyBtAyDyCtGyCyDtBzztGyBzzzzyBtGzyyEtAyDtCzz0CyD0F0FtCtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StA0AzzyD0C0AyB0AtG0B0DzyyBtGyEyCyB0DtGzz0EyE0FtG0FyEtBtDzztA0E0Ezy0AtByB2QtN0A0LzuyE%26cr%3D1001654787%26a%3Dwncy_nxtad_16_05%26os_ver%3D6.3%26os%3DWindows%2B8.1
    C:\Users\John\AppData\Local\Temp\sqlite3.dll

    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    EmptyTemp:
    Hosts:
    End
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
    "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
    HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
    HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
    "HKU\S-1-5-21-1569399677-2339013464-2643545198-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
    HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
    Chrome HomePage => removed successfully
    C:\Users\John\AppData\Local\Temp\sqlite3.dll => moved successfully

    ========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========


    ========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========


    ========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========


    ========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

    The operation completed successfully.



    ========= End of Reg: =========

    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.
    EmptyTemp: => 500.3 MB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 10:57:04 ====

  2. #22
    Junior Member
    Join Date
    Feb 2016
    Posts
    15

    Default

    RogueKiller V11.0.12.0 [Feb 15 2016] (Free) by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/software/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 8.1 (6.3.9600) 64 bits version
    Started in : Normal mode
    User : John [Administrator]
    Started from : C:\Users\John\Desktop\RogueKiller.exe
    Mode : Scan -- Date : 02/16/2016 11:30:17

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 5 ¤¤¤
    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\AVG SafeGuard toolbar -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASWMBR (\??\C:\Users\John\AppData\Local\Temp\aswMBR.sys) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASWVMM (\??\C:\Users\John\AppData\Local\Temp\aswVmm.sys) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASWMBR (\??\C:\Users\John\AppData\Local\Temp\aswMBR.sys) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASWVMM (\??\C:\Users\John\AppData\Local\Temp\aswVmm.sys) -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST2000DM001-1CH164 +++++
    --- User ---
    [MBR] ad2d1e7ce0eda9a7740a3d54688c02f5
    [BSP] 9f7635b722199a6e52ad7c538cb8bbfb : Empty|VT.Unknown MBR Code
    Partition table:
    0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1023 MB
    1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2097152 | Size: 360 MB
    2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2834432 | Size: 128 MB
    3 - Basic data partition | Offset (sectors): 3096576 | Size: 1886775 MB
    4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 3867211776 | Size: 350 MB
    5 - [SYSTEM] Basic data partition | Offset (sectors): 3867928576 | Size: 19092 MB
    User = LL1 ... OK
    User = LL2 ... OK

  3. #23
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Instructions on how to backup your Favourites/Bookmarks and other data can be found below.


    Proceed with the reset once done.

    ~~~~~~~~~~~~~~~~~~



    Malwarebytes Anti-Rootkit
    • Download Malwarebytes Anti-Rootkit
    • Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
    • Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
    • Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
    • Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
    • After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
    • Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
    • If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.



    • Please click by the introduction screen on the Next button to continue.




    • Next you will see the Update Database screen.
    • Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.




    • When the update has finished, click on the Next button.



    • Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
    • Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.




    • When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
    • Make sure everything is selected and that the option to create a restore point is checked.
    • Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
    • Click on Yes button to restart your computer.

    • There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
    • The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
      • For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.

    • The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    Please post these logs when finished
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  4. #24
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Download the latest version of TDSSKiller from here and save it to your Desktop.

    or the two below links
    http://media.kaspersky.com/utilities...tdsskiller.exe
    http://www.bleepingcomputer.com/down...sskiller/dl/4/



    • Doubleclick on TDSSKiller.exe to run the application

    • Then click on Change parameters.


    • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
    • Click the Start Scan button.

    • If a suspicious object is detected, the default action will be Skip, click on Continue.


    • If malicious objects are found, they will show in the Scan results and offer three (3) options.
    • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    • Get the report by selecting Reports


    • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    Please copy and paste its contents on your next reply.



    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #25
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Since this issue appears resolved ... this Topic is closed.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •