Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Browser redirect malware with additional side effects

  1. #11
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Let's get system restore turned back on.
    https://www.tenforums.com/tutorials/...dows-10-a.html

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Start Farbar Recovery Scan Tool with Administrator privileges
    or Right click on the FRST icon and select Run as administrator

    Right click/highlight on the text below and select Copy.
    beginning with Start:: and finishing with End::


    Start::
    CloseProcesses:
    CreateRestorePoint:
    Handler: WSKVAllmytubechrome - {91AB862D-07B8-4A85 - No File
    S3 WsDrvInst; "E:\Keepvid\KeepVid Pro (Desktop)\DriverInstall.exe" [X]
    S1 cycgorla; \??\C:\WINDOWS\system32\drivers\cycgorla.sys [X]
    2017-12-19 21:07 - 2017-06-20 00:10 - 001930320 _____ (Microsoft Corporation) C:\Users\Jay\AppData\Local\Temp\dllnt_dump.dll
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gооglе Plаy Мusiс.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=fahmaaghhglfmonjliepjlchgpgfmobi
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\еSpоrt Тоurnаmеnts Fоr Моnеy ⚡ Неаrth.._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=ldnihfekhncchmljjkikeondcdehkbee
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Оvеrwаtсh Pеrfоrmаnсе Тrасkеr (Вlаnk).._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=amemnopljkanfileagmgohnmfnflikdo
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\еSpоrt Тоurnаmеnts Fоr Моnеy ⚡ Неаrth.._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=ldnihfekhncchmljjkikeondcdehkbee
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оvеrwаtсh Pеrfоrmаnсе Тrасkеr (Вlаnk).._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=amemnopljkanfileagmgohnmfnflikdo
    Emptytemp:
    End::


    Press the Fix button.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    ~~~~~~~~~~~~~~~~~~~~~~~``

    Please open Malwarebytes Anti-Malware.
    On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
    Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    When the scan is complete Apply Actions to any found entries.
    Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
    After the restart once you are back at your desktop, open MBAM once more.

    To get the log from Malwarebytes do the following:
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click Export > From export you have three options: > From export you have three options:

    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

    Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


    Please post these 2 logs when finished.
    Last edited by Juliet; 2017-12-21 at 12:45.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  2. #12
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    what device is connected to Drive f:
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #13
    Junior Member
    Join Date
    Dec 2017
    Posts
    9

    Default

    Drive F: is a virtual drive through PowerISO.

    Here are the logs requested:

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 12/25/17
    Scan Time: 9:25 AM
    Log File: c648d0de-e987-11e7-b191-902b341033e8.json
    Administrator: Yes

    -Software Information-
    Version: 3.3.1.2183
    Components Version: 1.0.262
    Update Package Version: 1.0.3560
    License: Free

    -System Information-
    OS: Windows 10 (Build 16299.125)
    CPU: x64
    File System: NTFS
    User: JAY-PC\Jay

    -Scan Summary-
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 305902
    Threats Detected: 0
    (No malicious items detected)
    Threats Quarantined: 0
    (No malicious items detected)
    Time Elapsed: 3 min, 9 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 0
    (No malicious items detected)

    Physical Sector: 0
    (No malicious items detected)


    (end)



    Fix result of Farbar Recovery Scan Tool (x64) Version: 23-12-2017 01
    Ran by Jay (25-12-2017 09:13:54) Run:1
    Running from C:\Users\Jay\Desktop
    Loaded Profiles: Jay (Available Profiles: Jay)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CloseProcesses:
    CreateRestorePoint:
    Handler: WSKVAllmytubechrome - {91AB862D-07B8-4A85 - No File
    S3 WsDrvInst; "E:\Keepvid\KeepVid Pro (Desktop)\DriverInstall.exe" [X]
    S1 cycgorla; \??\C:\WINDOWS\system32\drivers\cycgorla.sys [X]
    2017-12-19 21:07 - 2017-06-20 00:10 - 001930320 _____ (Microsoft Corporation) C:\Users\Jay\AppData\Local\Temp\dllnt_dump.dll
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gооglе Plаy Мusiс.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=fahmaaghhglfmonjliepjlchgpgfmobi
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\еSpоrt Тоurnаmеnts Fоr Моnеy ⚡ Неаrth.._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=ldnihfekhncchmljjkikeondcdehkbee
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Оvеrwаtсh Pеrfоrmаnсе Тrасkеr (Вlаnk).._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=amemnopljkanfileagmgohnmfnflikdo
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\еSpоrt Тоurnаmеnts Fоr Моnеy ⚡ Неаrth.._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=ldnihfekhncchmljjkikeondcdehkbee
    ShortcutWithArgument: C:\Users\Jay\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оvеrwаtсh Pеrfоrmаnсе Тrасkеr (Вlаnk).._.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat () -> --profile-directory=Default --app-id=amemnopljkanfileagmgohnmfnflikdo
    Emptytemp:

    *****************

    Processes closed successfully.
    Restore point was successfully created.
    "HKLM\Software\Classes\PROTOCOLS\Handler\WSKVAllmytubechrome" => removed successfully
    WsDrvInst => service not found.
    cycgorla => service not found.
    "C:\Users\Jay\AppData\Local\Temp\dllnt_dump.dll" => not found.
    "HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
    HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => key not found
    C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gооglе Plаy Мusiс.lnk => Shortcut argument removed successfully
    C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\еSpоrt Тоurnаmеnts Fоr Моnеy ⚡ Неаrth.._.lnk => Shortcut argument removed successfully
    C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Оvеrwаtсh Pеrfоrmаnсе Тrасkеr (Вlаnk).._.lnk => Shortcut argument removed successfully
    C:\Users\Jay\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\еSpоrt Тоurnаmеnts Fоr Моnеy ⚡ Неаrth.._.lnk => Shortcut argument removed successfully
    C:\Users\Jay\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оvеrwаtсh Pеrfоrmаnсе Тrасkеr (Вlаnk).._.lnk => Shortcut argument removed successfully

    =========== EmptyTemp: ==========

    BITS transfer queue => 6053888 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9525271 B
    Java, Flash, Steam htmlcache => 561628175 B
    Windows/system/drivers => 946005 B
    Edge => 2521795 B
    Chrome => 41155253 B
    Firefox => 0 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Default => 0 B
    Users => 0 B
    ProgramData => 0 B
    Public => 0 B
    systemprofile => 0 B
    systemprofile32 => 0 B
    LocalService => 822 B
    NetworkService => 0 B
    Jay => 10869553 B

    RecycleBin => 0 B
    EmptyTemp: => 603.4 MB temporary data Removed.

    ================================


    The system needed a reboot.

    ==== End of Fixlog 09:14:18 ====

  4. #14
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Emsisoft Emergency Kit - Fix Mode
    Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
    • Download the Emsisoft Emergency Kit and execute it. From there, click on the Install button to extract the program in the EEK folder;
    • Once the extraction is complete, the EEK folder will open. Right-click on start emergency kit scanner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
    • EEK will suggest that you run an online update before using the program. Click on Yes to launch it.
    • After the update, click on Malware Scan under 2. Scan and accept to let EEK detect PUPs (click on Yes).
    • Once the scan is complete, make sure that every item in the list is checked, and click on the Quarantine selected button;
    • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
    • After the restart, open EEK again (in the C:\EEK folder);
    • This time, click on Logs;
    • From there, go under the Quarantine Log tab, and click on the Export button;
    • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
    created by Aura

    After finishing the above scan please tell me how the computer is now.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #15
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Drive F
    what did you mount or use since it was so small?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  6. #16
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    How is your computer now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #17
    Junior Member
    Join Date
    Dec 2017
    Posts
    9

    Red face

    Sorry for the delay, been away from home for the holidays.

    Here's the log after the emisoft scan:

    Emsisoft Emergency Kit - Version 2017.11
    Last update: 1/1/2018 8:46:29 PM
    User account: JAY-PC\Jay
    Computer name: JAY-PC
    OS version: Windows 10x64

    Scan settings:

    Scan type: Malware Scan
    Objects: Rootkits, Memory, Traces, Files

    Detect PUPs: On
    Scan archives: Off
    Scan mail archives: Off
    ADS Scan: On
    File extension filter: Off
    Direct disk access: Off

    Scan start: 1/1/2018 8:46:56 PM

    Scanned 101012
    Found 0

    Scan end: 1/1/2018 8:48:00 PM
    Scan time: 0:01:04







    Everything appears to be back up and running as expected! No more CPU spikes and no more redirects


    I think it's safe to say we're good. Thank you for all your help.

  8. #18
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Good to hear.

    DelFix

    • Please download DelFix or from Here and save the file to your Desktop.
    • Double-click DelFix.exe to run the programme.
    • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Click the Run button.
    • -- This will remove the specialized tools we used to disinfect your system.
      Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete
      ).

    *********


    • AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
    • CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
    • Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
    • Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
    • NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
    • Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
    • Secunia PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
    • SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
    • Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #19
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Glad we could help.
    Since this issue appears resolved ... this Topic is closed.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •