Browser redirect malware with additional side effects

[jocloud31]

I have what I believe is a multi-faceted problem stemming from a particularly stubborn piece of malware.

The key indicator is when searching from Chrome's Omnibar it redirects before showing my search results as shown here:

2017-12-14 21_32_56-test - Bing.png

It's almost never the same URL or even CLOSE. I believe whatever is causing this is also preventing me from updating Spybot S&D. Running the update module in my Spybot install does nothing, I can't run the updater directly from the file, and downloading the files manually does not appear to work either. I am also unable to start the updater service due to it timing out immediately.

In trying to gather the troubleshooting information needed for this post I also experienced problems. My FRST log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-12-2017
Ran by Jay (administrator) on JAY-PC (14-12-2017 21:21:19)
Running from C:\FRST
Loaded Profiles: Jay (Available Profiles: Jay)
Platform: Windows 10 Home Version 1703 15063.540 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

========================================================



Please note this is the WHOLE log and no addition.txt file was created. I tried running several times, deleting and re-downloading the files and tool, running as admin... no change.

Running aswMBR.exe had even more drastic results:

BSOD.jpg

I have attempted Malware Bytes to no avail, and also tried running it in Safe Mode.

My version of windows is Win 10 64bit 1703 (OS Build 15063.540)

I have tried updating to 1709 several times and am also unable to do that due to constant failures, though that may be unrelated.

I'm at a loss as to what to try next. Any direction or help would be greatly appreciated.

[Juliet]

When I first read your information I kinda cringed a bit, if the infection on your machine is what I think it is, we're in for a battle that not all have been lucky enough to remove.
It is also possible attempts to repair or delete the infection might have to be done in Recovery Environment:

~~~~~~~~~~~~~~~~~~~~~~~~~~`

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topi...-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.

[jocloud31]

I am working on following these steps, but am fighting with unrelated ISP issues making it difficult to download the tool.

[Juliet]

I don't know if this is going to help but, try to boot into safe mode with networking and attempt to download the tool from there.
https://support.microsoft.com/en-us/...c-in-safe-mode

Also, if it can be done, download and attempt to download these additional tools while in safe mode with networking and post the logs for me

RogueKiller

• Download the right version of RogueKiller for your Windows version (32 or 64-bit)
• Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
• Wait for the scan to complete
• On completion, the results will be displayed
• Check every single entry (threat found), and click on the Remove Selected button
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
• This will open the report in Notepad. Copy/paste its content in your next reply

created by Aura

****
AdwCleaner - Fix Mode

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

[jocloud31]

I will post the logs in the order they were requested in the thread:

MBAR log:

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
main: v2017.12.19.06
rootkit: v2017.10.14.01

Windows 10 x64 NTFS
Internet Explorer 11.540.15063.0
Jay :: JAY-PC [administrator]

12/19/2017 8:51:09 PM
mbar-log-2017-12-19 (20-51-09).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 222269
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Detected: 5
C:\Users\Jay\AppData\Local\psohkwl\psohkwl.exe (Trojan.Clicker) -> 9764 -> Delete on reboot. [1260a9827535cc6a75755d521ce534cc]
C:\Users\Jay\AppData\Local\psohkwl\ushdnme.exe (Adware.Yelloader) -> 11748 -> Delete on reboot. [b9b92b0009a1191d6737ab92c23ffe02]
C:\Users\Jay\AppData\Local\psohkwl\ushdnme.exe (Adware.Yelloader) -> 3112 -> Delete on reboot. [b9b92b0009a1191d6737ab92c23ffe02]
C:\Users\Jay\AppData\Local\psohkwl\ushdnme.exe (Adware.Yelloader) -> 4876 -> Delete on reboot. [b9b92b0009a1191d6737ab92c23ffe02]
C:\Users\Jay\AppData\Local\psohkwl\ushdnme.exe (Adware.Yelloader) -> 12680 -> Delete on reboot. [b9b92b0009a1191d6737ab92c23ffe02]

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\WINDOWS\SYSTEM32\drivers\69bc6d74e29d13e16e2b101abfb49035.sys (Adware.Wajam) -> Delete on reboot. [a9dd56a37c1ab181b2d2400331b43044]
C:\WINDOWS\SYSTEM32\drivers\sncfilps.sys (Rootkit.Agent.PUA) -> Delete on reboot. [d4b78f4f04a1132bf3088f93b9e5d140]
C:\Users\Jay\AppData\Local\psohkwl\psohkwl.exe (Trojan.Clicker) -> Delete on reboot. [1260a9827535cc6a75755d521ce534cc]
C:\Users\Jay\AppData\Local\psohkwl\ushdnme.exe (Adware.Yelloader) -> Delete on reboot. [b9b92b0009a1191d6737ab92c23ffe02]
C:\Windows\System32\config\systemprofile\AppData\Local\psohkwl\psohkwl.exe (Trojan.Agent) -> Delete on reboot. [3e340724ffab0036c351ab2620e1fb05]
C:\Windows\System32\config\systemprofile\AppData\Local\psohkwl\ushdnme.exe (Adware.Yelloader) -> Delete on reboot. [29492dfe723893a3861853ea5ba602fe]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

[jocloud31]

Rogue Killer Log:

RogueKiller V12.11.29.0 (x64) [Dec 18 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : Jay [Administrator]
Started from : C:\Users\Jay\Desktop\RogueKiller_portable64.exe
Mode : Delete -- Date : 12/19/2017 22:06:14 (Duration : 00:31:30)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 35 ¤¤¤
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Conduit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\InstallCore -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\WeatherAlerts -> Deleted
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Conduit -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\InstallCore -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\WeatherAlerts -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3889070278-3414657367-3443163699-1000\Software\IM -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3889070278-3414657367-3443163699-1000\Software\IM -> Deleted
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\AppDataLow\Software\Conduit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\AppDataLow\Software\PriceGong -> Deleted
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\AppDataLow\Software\Conduit -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\AppDataLow\Software\PriceGong -> Deleted
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\AppDataLow\Software\Conduit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\AppDataLow\Software\ConduitSearchScopes -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\AppDataLow\Software\PriceGong -> Deleted
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\AppDataLow\Software\Conduit -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\AppDataLow\Software\ConduitSearchScopes -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\AppDataLow\Software\PriceGong -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Search -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Search -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Microsoft\Windows\CurrentVersion\Uninstall\DesktopWeatherAlerts -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Search -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Microsoft\Windows\CurrentVersion\Uninstall\DesktopWeatherAlerts -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Search -> Deleted
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_E_EAB4\ControlSet001\Services\SPPD (\??\C:\Windows\system32\drivers\SPPD.sys) -> Deleted
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_E_EAB4\ControlSet002\Services\SPPD (\??\C:\Windows\system32\drivers\SPPD.sys) -> Deleted
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3889070278-3414657367-3443163699-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/?PC=BNHP -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3889070278-3414657367-3443163699-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/?PC=BNHP -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.11.1 208.73.63.114 ([-][United States]) -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{caa2ce7e-e35b-4c74-9a90-00093b61115a} | DhcpNameServer : 192.168.11.1 208.73.63.114 ([-][United States]) -> Replaced ()
[PUM.StartMenu] (X64) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\RK_Dietrich_ON_E_08FC\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\RK_Samantha Layne_ON_E_1283\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 5 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : Honey [bmnlcjabgnpnenekpadlanbbkooimhnj] -> Deleted
[PUP.Gen0][Chrome:Addon] Default : Amazon Assistant for Chrome [pbjikboenpfhbbejgkoklgkhjpfogcam] -> ERROR [2]
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.keyword [bing.com] -> Deleted
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.url [https://www.bing.com/search?q={searchTerms}&PC=U316&FORM=CHROMN] -> Deleted
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.suggestions_url [https://www.bing.com/osjson.aspx?query={searchTerms}&language={language}&PC=U316] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 Series ATA Device +++++
--- User ---
[MBR] f8196a3f36464a3c80b0c03a41a02241
[BSP] 608c79d957753ee8236c468d14c98aa5 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 113921 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 233517056 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD7500AAKS-00RBA0 ATA Device +++++
--- User ---
[MBR] 66c2a20d1a2b4bc6acd8fbd9269536cc
[BSP] cede988f4171384d55a70ab29563e4cd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 715302 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Generic STORAGE DEVICE USB Device +++++
--- User ---
[MBR] f62fb7523fee5d10dec91fe20d1429d6
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - android_meta | Offset (sectors): 2048 | Size: 16 MB
1 - android_expand | Offset (sectors): 34816 | Size: 61038 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )