Jump to content

www-searching.com Malware/Hijack


Recommended Posts

Dear Malwarebytes support, please help CLEAR OUT "www-searching.com" Malware Hijack which MalwareBytes Anti-Malware Premium which I purchased from you has NOT been able to REMOVE for a few days now & Anti-Exploit Premium did NOT prevent. I also tried running Anti-Malware Premium through Chameleon in normal Vista and in Safe-Mode, Also tried running your other free download tools like the anti-rootkit beta and all others.

Every time start firefox or open a new tab this is the website that took over and it is NOT set as the homepage: -->  
http://www-searching.com/?pid=s&s=F18zamodk08491,50859761-925e-48f0-ba89-9b77df3151ca,&fnt=1

So what I noticed so far once this "www-searching.com" Malware Hijack showed up is my firefox add-ons 'YouTube High Definition 34.3' and 'Session Manager' icons that used to be visible and appeared on the firefox toolbar just under all the tabs next to the URL and Search fields between the standard icons of the firefox Downloads and Menu icons.

There's interference with Session Manager's operation when starting firefox.

It also disabled the function of the firefox add-ons 'YouTube High Definition 34.3' and 'FlashStopper 1.2.4.1' which were set to not play videos automatically on websites until I press play but now all videos play automatically on youtube and other websites even though the add-ons are supposedly still active but do not do what they did before.

And when clicking on links from my websites that I'm reading it automatically redirects to other websites.... for example, I was just on your help webpage( http://www.malwarebytes.org/support/consumer/) and when I clicked to go tn Contact Us( http://www.malwarebytes.org/support/consumer/topic/ ) it automatically redirected to this other website: -->  
http://www.spywareclear.com/lp/lp6.aspx?lp=1&p=Virus+%26+Malware+Prevention+and+Removal&cfg=316&subid=anti+malware

 

Firefox is still default browser but In Windows Explorer all saved webpage files changed from having a firefox icon/thumbnail to Internet Explorer's icon/thumbnail.

Plus... just typed "www-searching.com" into google search( https://www.google.com/#q=www-searching.com) and the first 3 search results' pages I looked through are dominated by websites I never heard before with removal guides that seem very suspicious since they all recommend downloading and using their never heard of 'removal tool' and my guess is possibly all these are "partners in crime" of this "www-searching,com" malware because none of the search results show any well established security tech websites or forums discussions or anything like it usually does when search for a malware keywords.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
     
    
Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 

adwcleaner_new.png Fix with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait until the database is updated.
  • Accept the Terms of use and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.

Please include the contents of that file in your reply.
 
Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
 
 
 
 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

Link to post
Share on other sites

Great thanks for your help my eagle brother

 

So now when I started firefox it appeared without the "www-searching.com" opeining immediately and instead it opened with the page as if the firefox add-on 'YouTube High Definition 34.3' was just activated which was suppressed by the hijack and its icon now appears back on the firefox toolbar just under all the tabs next to the URL and Search fields but the Session Manager icon still does not even though in its options the checkbox is checked to display in the firefox tools menu.

 

when opening a fresh new tab it still opens on the hijack page: --> http://www-searching.com/?pid=s&s=F18zamodk08491,50859761-925e-48f0-ba89-9b77df3151ca,&fnt=1

 

in the reports I notice some of the hijacks that are still there which were previously detected and deleted but still show up now:

S2 SMUpdPlus; C:\Program Files\Common Files\GBUpdatePlus\smu.exe [1875816 2014-12-23] (Search Module Plus Ltd.)

Task: {37D3EBF7-05FC-4B63-8728-8CB52BA6E9F1} - System32\Tasks\SMWPUpd => C:\Program Files\Common Files\GBUpdatePlus\updater.exe [2014-12-23] (Goobzo)

 

all the scan reports are attached

thanks so much and look forward to the next step

AdwCleaner01.txt

AdwCleaner02.txt

Farbar Recovery Scan 02-- FRST.txt

Farbar Recovery Scan 02-- Addition.txt

Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.
 
 
 
 

51a612a8b27e2-Zoek.png Scan with ZOEK
 
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;b
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

fixlist.txt

Link to post
Share on other sites

Followed the steps and here is the latest update with the reports attached.

 

In firefox open a new tab still opens with the "www-searching.com" hijack website: --> http://www-searching.com/?pid=s&s=F18zamodk08491,50859761-925e-48f0-ba89-9b77df3151ca,&fnt=1

 

The 'Session Manager' icon that used to be visible on the firefox toolbar just under all the tabs next to the URL and Search fields still has not appeared back yet like the other addon which appeared back in the previous reply.

 

Firefox is still the default browser but In Windows Explorer all the saved webpage files still have the Internet Explorer's "e" icon/thumbnail instead of the firefox icon/thumbnail that was displayed before the hijack.

 

Thanks and look forward to hear back from you

 

 

Fixlog.txt

zoek-results.log

Link to post
Share on other sites

Let's use FRST again:
 
 
FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

Link to post
Share on other sites

Thank you, uploaded the new logs

 

and noticed again that when clicking on links from a webpage that I'm reading it automatically redirected to some other websites.... for example, I was just on

bleepingcomputer.com forum and when clicked to go to the next page it redirected in the following order (from firefox history)

1st example: -->

- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DEDTf0Hlv1pQ_0&i=DcvbDYAgDADA727BApKWUh7jVAFjAiHBRNfX-z_nrRebgyVGYHGAFpmSAEKEALmlwOQaCirWWohoL0d0kYIU9QwXe1h1zEe76fO8zdD-6qr_3-gD&ou=aHR0cDovL3d3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbS9mb3J1bXMvdC81NDE1OTQvaS1hbS1pbnRlcmVzdGVkLWluLWxlYXJuaW5nLWxpbnV4Lz92aWV3PWZpbmRwb3N0JnA9MzU5MzE3OSZobD0lMkJkZWZyYWc=
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DEDTf0Hlv1pQ_0&i=DcvbDYAgDADA727BApKWUh7jVAFjAiHBRNfX-z_nrRebgyVGYHGAFpmSAEKEALmlwOQaCirWWohoL0d0kYIU9QwXe1h1zEe76fO8zdD-6qr_3-gD&ou=aHR0cDovL3d3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbS9mb3J1bXMvdC81NDE1OTQvaS1hbS1pbnRlcmVzdGVkLWluLWxlYXJuaW5nLWxpbnV4Lz92aWV3PWZpbmRwb3N0JnA9MzU5MzE3OSZobD0lMkJkZWZyYWc=&jskey=3080587
- http://computerlivehelp.co/2k15/support-for-antivirus.php
 

2nd example: -->

- http://www.facebook.com/plugins/like.php?action=like&app_id=875027339201683&channel=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F7r8gQb8MIqE.js%3Fversion%3D41%23cb%3Df2a97d91ed66d54%26domain%3Dwww.bleepingcomputer.com%26origin%3Dhttp%253A%252F%252Fwww.bleepingcomputer.com%252Ff101facb01925%26relation%3Dparent.parent&href=http%3A%2F%2Fwww.bleepingcomputer.com%2Fforums%2Ft%2F541594%2Fi-am-interested-in-learning-linux%2Fpage-3%3Fhl%3D%2Bdefrag&layout=button_count&locale=en_US&sdk=joey&send=false&show_faces=false&width=150
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DZ3yjt1%2AgGZE_4&i=DcvLDYAgDADQc7dgAUk_UGQcFDAk2IPRxPH1_h4HH6LP6kkQRBHQY6TMIgEQEijkvqoQd4xYsLVKRFvdEyfSWEsQGD-dw57XncNuN1u5bNjx94U-&ou=aHR0cDovL3d3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbS9mb3J1bXMvdC81NDE1OTQvaS1hbS1pbnRlcmVzdGVkLWluLWxlYXJuaW5nLWxpbnV4L3BhZ2UtMj9obD0lMjBkZWZyYWc=
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DZ3yjt1%2AgGZE_4&i=DcvLDYAgDADQc7dgAUk_UGQcFDAk2IPRxPH1_h4HH6LP6kkQRBHQY6TMIgEQEijkvqoQd4xYsLVKRFvdEyfSWEsQGD-dw57XncNuN1u5bNjx94U-&ou=aHR0cDovL3d3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbS9mb3J1bXMvdC81NDE1OTQvaS1hbS1pbnRlcmVzdGVkLWluLWxlYXJuaW5nLWxpbnV4L3BhZ2UtMj9obD0lMjBkZWZyYWc=&jskey=4770289
- http://c.clickkings.com/search.php?q=linux+mint+learning&sid=tl_hs_05&par=aHR0cDovL2MuaG9pc3RzZWFyY2guY29tL3JlZHJjdC5waHA/dXJsPWFIUjBjRG92TDNOcUxuaGthWEpsWTNSNExtTnZiUzlqYkdsamEyeHBibXN1Y0dod1AzRnllVDFpTUdSbU5EbGxaakpoTjJNeU9UWmtNelE1TlRabFpqRTFNVEZrWkRjNVpXWTVOamsyWXpjNFpUVTBZVGs1TjJNMFlqVXpNelZsTTJOa00yVTJNelJqWkRJNFlUTTFNMkl3TkRkbU5URmhNemczWXpaak1EQmpOR1EwTmpVMU5UUTJOR0ptTmpBM09EVmxabVUyWWpVM1pHRTRNRFUzT1dJNE0yUXpNVFJrWTJOaU1qVTNNVGxqTVdJMlpEY3hPR0kzWWpreU5HTm1OalEyWkdRMFpqVTVNbVUyTW1Zd05XUTRNemN5TlRFNE1Ea3dZelk1WkRjeU1qTmhNamszT1dOa05EWTVNMkl4Tm1KalpEVTRObUpsTlRBM016UXdaR0UwTURkaE5ETTBOak0zWkRBMU5qRmtPVFkwT1dJNVpESmhaV1ZpWlRreU5qRTBNRGRoWXpNME9UWTFOR1U1T1RReU5EYzNZbUkzTmpNMVpqRTJaREZqWlRWalpXTmlObUk1WVRBek9USTJZekkxTTJFME5UUTFaamxrWmpGbE1HWXlOekEwWW1VM05EQmxNMkk0TWpjd01tUm1aamszTXpSbE5UaGtZemxqTWpOak1HRTBaREppTkRFNU56Rm1NVEptWW1SbVpUTmtNalU1T1dWbFpqQmhOekJqTWpJd09EWm1ZVE14WlRZeFpEVXhPVEU1WTJNNVlqRmhPR1V4T0daaE0yUXpOemt3TURBeE1tWmhNR1ptTW1Fd01ERXhZbVJsT0RkaFlUQTRNR0l3TW1JeE9EazFPRE5pWVdabU9EbGlNVEF5TWpNeU5UYzBOell6TmpJNFpHWTFaV0kxT1dNNVpqSTVPVFV4TkdJd1lUTTVZekEzTmpneFptWTBPREZtTWprM01XSTBabVF6T0dNMFkyUTFOVEZtTURObE5XUTBZVGhtTXpBNVlXRTJNMlk1TTJFd1pXSTFNalpsTnpkaU56Y3pNMk0yTkdNeE1EYzBZalUwWVdSak5HVTRZbU5pTTJOaE0yVXhaRGswTm1Zd09USTJaVEZrTlRjM01HVm1OV1k1WkdFeU9HSTVNamczTTJGa1lUbGxaVE5sTVRVME9HTmtaVFl4TkRnMU16Wm1OV1U0WVRsaFltTTJPVEZtTlRJd1ltSTVNMkpsWldFek1HVTFPVEE0T1RabU56UmlNVFprTkRRMk1EbG1OMlJsWWpkaEpuSjFQV3hrSlRORVpETlZaWEpTY2xvelRWSlRhblJ6VDAxcU5GWkljVVJVVmxWRFZYaG5ibTAxV0c1TWJWQk9UMjlQUlVSd1EzRlZZbVZRVGtsUWFGOUlYMlpVZWtGd2RETjJYMmhtUlUxb1gyeHdXRlZxTlMxRGVtZEhTak4yUkdGMFVFdFJialkzTlhndFJYbFJVVU5SY2pWa1JqVktjV2hNVFhwNlZsSkZNWFJuVkZjeGRFdHhTVU5qVlVRNVRsUnZTMGxDYTJoMmVteFJWSHB5U0hRNFdWVmFRU1V5Tm5VbE0wUm9kSFJ3SlRJMU0yRWxNalV5WmlVeU5USm1OVEF6TG5obk5HdGxiaTVqYjIwbE1qVXlabTFsWkdsaEpUSTFNbVp5WldScGNpNXdhSEFsTWpVelpuQnliMllsTWpVelpEUXdNeVV5TlRJMlkyRnRjQ1V5TlROa05USTNOek16T0NVeU5USTJZV1ptWTI5a1pTVXlOVE5rWTNJNU5Ua3hNekFsTWpVeU5tdGZhVzV1WlhKZmRYSnNYMlZ1WTI5a1pXUWxNalV6WkRFbE1qVXlObU5wWkNVeU5UTmtOakV5TURZM01EVXpNU1V5TlRkak5EY3hORFU0TXlVeU5UZGpiV2x1ZENVeU5USTJiVlI1Y0dVbE1qVXpaSEFsTWpVeU5uRjFaWEo1VTNSeUpUSTFNMlJzYVc1MWVDVXlOVEkxTWpCdGFXNTBKVEkxTWpVeU1HeGxZWEp1YVc1bkpUSTFNaloxY213bE1qVTFZaVV5TlRWa0pUSTFNMlJvZEhSd2N5VXlOVEkxTTBFbE1qVXlOVEpHSlRJMU1qVXlSbUZrTG1SdmRXSnNaV05zYVdOckxtNWxkQ1V5TlRJMU1rWmtaRzBsTWpVeU5USkdZMnhySlRJMU1qVXlSakk0TXpnMU5qQTNOU1V5TlRJMU0wSXhNVEEzTXpNME16RWxNalV5TlROQ1l5VXlOVEkxTTBab2RIUndKVEkxTTJFbE1qVXlOVEpHSlRJMU1qVXlSbmQzZHk1dGFXNTBMbU52YlNVeU5USTFNMFpqYVdRbE1qVXlOVE5FY0hCalgyMXpibDl1WWw5emRHRnVYelF3TXkwMU1qYzNNek00TFRRM01UUTFPRE1sTWpVeU5USTJTMGxFSlRJMU1qVXpSRjlyWlc1emFHOXZYMk5zYVdOcmFXUmYmS2V5d29yZD1iR2x1ZFhnZ2JXbHVkQ0JzWldGeWJtbHVadz09JnBhcnRuZXJJbmZvSUQ9MTAwJnNpZD1kR3hmYUhOZk1EVT0mcmVmZXJlcj1hSFIwY0RvdkwyTXVZMnhwWTJ0cmFXNW5jeTVqYjIwdmMyVmhjbU5vTG5Cb2NEOXhQV3hwYm5WNEsyMXBiblFyYkdWaGNtNXBibWNtYzJsa1BYUnNYMmh6WHpBMSZpcD0yNC40NS45Ni4xMzAmc291cmNlVGFnPU1Ua3pNREU9JmJsb2NrZWRfdXJsPXd3dy5taW50LmNvbSZmZWVkPTEmcGFydG5lcklEPTYmc2VydmVyPTI=
- http://c.hoistsearch.com/redrct.php?url=aHR0cDovL3NqLnhkaXJlY3R4LmNvbS9jbGlja2xpbmsucGhwP3FyeT1iMGRmNDllZjJhN2MyOTZkMzQ5NTZlZjE1MTFkZDc5ZWY5Njk2Yzc4ZTU0YTk5N2M0YjUzMzVlM2NkM2U2MzRjZDI4YTM1M2IwNDdmNTFhMzg3YzZjMDBjNGQ0NjU1NTQ2NGJmNjA3ODVlZmU2YjU3ZGE4MDU3OWI4M2QzMTRkY2NiMjU3MTljMWI2ZDcxOGI3YjkyNGNmNjQ2ZGQ0ZjU5MmU2MmYwNWQ4MzcyNTE4MDkwYzY5ZDcyMjNhMjk3OWNkNDY5M2IxNmJjZDU4NmJlNTA3MzQwZGE0MDdhNDM0NjM3ZDA1NjFkOTY0OWI5ZDJhZWViZTkyNjE0MDdhYzM0OTY1NGU5OTQyNDc3YmI3NjM1ZjE2ZDFjZTVjZWNiNmI5YTAzOTI2YzI1M2E0NTQ1ZjlkZjFlMGYyNzA0YmU3NDBlM2I4MjcwMmRmZjk3MzRlNThkYzljMjNjMGE0ZDJiNDE5NzFmMTJmYmRmZTNkMjU5OWVlZjBhNzBjMjIwODZmYTMxZTYxZDUxOTE5Y2M5YjFhOGUxOGZhM2QzNzkwMDAxMmZhMGZmMmEwMDExYmRlODdhYTA4MGIwMmIxODk1ODNiYWZmODliMTAyMjMyNTc0NzYzNjI4ZGY1ZWI1OWM5ZjI5OTUxNGIwYTM5YzA3NjgxZmY0ODFmMjk3MWI0ZmQzOGM0Y2Q1NTFmMDNlNWQ0YThmMzA5YWE2M2Y5M2EwZWI1MjZlNzdiNzczM2M2NGMxMDc0YjU0YWRjNGU4YmNiM2NhM2UxZDk0NmYwOTI2ZTFkNTc3MGVmNWY5ZGEyOGI5Mjg3M2FkYTllZTNlMTU0OGNkZTYxNDg1MzZmNWU4YTlhYmM2OTFmNTIwYmI5M2JlZWEzMGU1OTA4OTZmNzRiMTZkNDQ2MDlmN2RlYjdhJnJ1PWxkJTNEZDNVZXJSclozTVJTanRzT01qNFZIcURUVlVDVXhnbm01WG5MbVBOT29PRURwQ3FVYmVQTklQaF9IX2ZUekFwdDN2X2hmRU1oX2xwWFVqNS1DemdHSjN2RGF0UEtRbjY3NXgtRXlRUUNRcjVkRjVKcWhMTXp6VlJFMXRnVFcxdEtxSUNjVUQ5TlRvS0lCa2h2emxRVHpySHQ4WVVaQSUyNnUlM0RodHRwJTI1M2ElMjUyZiUyNTJmNTAzLnhnNGtlbi5jb20lMjUyZm1lZGlhJTI1MmZyZWRpci5waHAlMjUzZnByb2YlMjUzZDQwMyUyNTI2Y2FtcCUyNTNkNTI3NzMzOCUyNTI2YWZmY29kZSUyNTNkY3I5NTkxMzAlMjUyNmtfaW5uZXJfdXJsX2VuY29kZWQlMjUzZDElMjUyNmNpZCUyNTNkNjEyMDY3MDUzMSUyNTdjNDcxNDU4MyUyNTdjbWludCUyNTI2bVR5cGUlMjUzZHAlMjUyNnF1ZXJ5U3RyJTI1M2RsaW51eCUyNTI1MjBtaW50JTI1MjUyMGxlYXJuaW5nJTI1MjZ1cmwlMjU1YiUyNTVkJTI1M2RodHRwcyUyNTI1M0ElMjUyNTJGJTI1MjUyRmFkLmRvdWJsZWNsaWNrLm5ldCUyNTI1MkZkZG0lMjUyNTJGY2xrJTI1MjUyRjI4Mzg1NjA3NSUyNTI1M0IxMTA3MzM0MzElMjUyNTNCYyUyNTI1M0ZodHRwJTI1M2ElMjUyNTJGJTI1MjUyRnd3dy5taW50LmNvbSUyNTI1M0ZjaWQlMjUyNTNEcHBjX21zbl9uYl9zdGFuXzQwMy01Mjc3MzM4LTQ3MTQ1ODMlMjUyNTI2S0lEJTI1MjUzRF9rZW5zaG9vX2NsaWNraWRf&Keyword=bGludXggbWludCBsZWFybmluZw==&partnerInfoID=100&sid=dGxfaHNfMDU=&referer=aHR0cDovL2MuY2xpY2traW5ncy5jb20vc2VhcmNoLnBocD9xPWxpbnV4K21pbnQrbGVhcm5pbmcmc2lkPXRsX2hzXzA1&ip=24.45.96.130&sourceTag=MTkzMDE=&blocked_url=www.mint.com&feed=1&partnerID=6&server=2
- https://www.mint.com/?cid=ppc_msn_nb_stan_403-5277338-4714583&KID=26394267-c341-5a89-ba90-0000653ba9cd
 

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

ok scanned with the updated FRST version

 

 

and a few more automatic-redirect examples (in the order from firefox history)

3rd example: -->
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DvCa3uYQyY5k_0&i=DctBEoAgCADAM7_oAzkgAvEcU2w8eGnq_7X3zSUVSa6JGIElAyYUN1E3QDBQ8HEoUx4oWDGiE9HZm2UjlV4Lw-QCz_3GNle9Ylu1_XOnDw~~&ou=aHR0cDovL3d3dy5hY3JvbmlzLmNvbS9lbi11cy9wZXJzb25hbC9oYXJkLWRyaXZlLWhlYWx0aC8=
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DvCa3uYQyY5k_0&i=DctBEoAgCADAM7_oAzkgAvEcU2w8eGnq_7X3zSUVSa6JGIElAyYUN1E3QDBQ8HEoUx4oWDGiE9HZm2UjlV4Lw-QCz_3GNle9Ylu1_XOnDw~~&ou=aHR0cDovL3d3dy5hY3JvbmlzLmNvbS9lbi11cy9wZXJzb25hbC9oYXJkLWRyaXZlLWhlYWx0aC8=&jskey=5610754
- http://filter.adventurefeeds.com/filter?q=true+image+mac&i=vCa3uYQyY5k_0&t=351733599
- http://search.beesq.net/searcha.php?keyword=true+image+mac&xy=cce96d9371af7568b5a8e2f4fd5e525e&tt=16003&ts=1234_NDST_05_11
- http://www.infomash.org/index1.php?adid=11910
 
4th example: -->
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DUdJ-WFfH9U0_4&i=DczbDYAgDADA727hApKWPpBxkKIhJmrQ_aM3wEUJoiFbIEZgQ8CAasqZBBASGORtMaa4oWLB1pyIVq8pJjL1IgydBbw_x-R9tPpeY7ruNsrbz_0vZvoA&ou=aHR0cDovL3d3dy5hY3JvbmlzLmNvbS9lbi11cy9wZXJzb25hbC9kaXNrLW1hbmFnZXIvI3Byb2R1Y3RfZmFxLWJsb2NrXzEtOQ==
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fxml.adventurefeeds.com%2Fclick%3Fi%3DUdJ-WFfH9U0_4&i=DczbDYAgDADA727hApKWPpBxkKIhJmrQ_aM3wEUJoiFbIEZgQ8CAasqZBBASGORtMaa4oWLB1pyIVq8pJjL1IgydBbw_x-R9tPpeY7ruNsrbz_0vZvoA&ou=aHR0cDovL3d3dy5hY3JvbmlzLmNvbS9lbi11cy9wZXJzb25hbC9kaXNrLW1hbmFnZXIvI3Byb2R1Y3RfZmFxLWJsb2NrXzEtOQ==&jskey=2151467
- http://search.beesq.net/searcha.php?keyword=disk+director+operating&xy=38a17dbe2999cf8d28bb75f6c7dd6a38&tt=15964&ts=1234_NTDD_08_19
- http://www.amazon.com/s/?ie=UTF8&keywords=disk+director&tag=mh0b-20&index=aps&hvadid=3482327079&ref=pd_sl_4s3kwvi0lw_p

 

FRST.txt

Addition.txt

Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

Link to post
Share on other sites

Please reply to my last post that you did not say anything about....which I do not appreciate because if it was not important to me I would not have written anything about the fact that there are applications that are now missing....obviously deleted without notifying me and asking if I agree to do so... which I would decline to delete whole directories of completely innocent applications that I know are totally clean and I'm against blindly deleting like a scorched earth strategy which now made shortcuts from the start menu

not able to find whole directories of programs like the Internet Download Manager and Malwarebytes Anti-Exploit that were deleted on a whim and I want these to be restored back to before any of this blind deletions were done without asking me if it's ok to delete these innocent bystanding applications and who knows what else has been deleted that I didn't have a chance to get to yet...so this is not ok with me. So I would like to return to the system restore point before any of this was blindly deleted and instead do very targeted and specific and ask me if it's ok to delete innocent bystanding applications which I was never informed about since I know some things better about than you do.

Link to post
Share on other sites

Yes, as I see only Internet Download Manager folder is deleted. It is not my mistake, the tool targeted it and it is author's decision or maybe false detection.

 

But if you perform System Restore point, not only that you will get back IDM folder, but you will also return a lot of other malicious folders, what return us to the beginning. 

 

Mbar folder isn't important at all, it is portable tool and you can download it whenever you wish.

 

Simply reinstall IDM and we can continue.

Link to post
Share on other sites

Fixlog attached as well as the latest FRST Scan tool logs that I just did with the latest downloaded FRST updated tool version.

and here is what I'm noticing:

 

1. in firefox opening a new tab is now clean and looks normal

 

2. when clicking on links from websites I'm reading again hijacks as automatic redirect to other websites.... example, I just went to http://www.malwarebytes.org/website and when I started clicking on links at the top of the page, after about 2 or 3 clicks the hijack automatically redirected in the following order (from firefox history): -->

http://www.malwarebytes.org/products/
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fmeta.7search.com%2Fclick%2Fclick.aspx%3Fx%3D%252fDXU04D5cHHkB4JQVcFOgg%253d%253d_HEU%252ffIaJ3MKDVlJK35N4q4ZQecmrIxQIyakM%252f%252fzNgLMWeiDX48EROuaG0HQe4SBGuIollq7QJl1Fg%252b8rdQmmpLq4VgG8nBqX53mmCoL53VBXSkLB2hXQ%252btteW1AnZKv2Duw1vxDejSfEnOB9BmqAGvUu0Ua%252fGNHB%252fKszmIy%252byEvAj2WFescsriwrVx97jcCFl7VzT2fLu34vOA2CIa2C9g%252bP00aUWDLFLKQLSYlt9xDF7QDaHbCoO8lpflk4%252fmKOh88dSRLSQMmiNx5u%252fJsMIQ%253d%253d&i=FcTBDYAgDAXQ89_CBSQtpUXHQSmJiV5QY9ze-A4vppA0zBZYCCIRFEj_aDIVZBjmNplwbKRUyL0y81LXHDOb1pIEmyQcZX9K96F19-H09e7b9YIw8gc~&ou=aHR0cDovL3d3dy5tYWx3YXJlYnl0ZXMub3JnL2J1c2luZXNzLw==
- http://find-all-you-want.com/aff?aff=http%3A%2F%2Fmeta.7search.com%2Fclick%2Fclick.aspx%3Fx%3D%252fDXU04D5cHHkB4JQVcFOgg%253d%253d_HEU%252ffIaJ3MKDVlJK35N4q4ZQecmrIxQIyakM%252f%252fzNgLMWeiDX48EROuaG0HQe4SBGuIollq7QJl1Fg%252b8rdQmmpLq4VgG8nBqX53mmCoL53VBXSkLB2hXQ%252btteW1AnZKv2Duw1vxDejSfEnOB9BmqAGvUu0Ua%252fGNHB%252fKszmIy%252byEvAj2WFescsriwrVx97jcCFl7VzT2fLu34vOA2CIa2C9g%252bP00aUWDLFLKQLSYlt9xDF7QDaHbCoO8lpflk4%252fmKOh88dSRLSQMmiNx5u%252fJsMIQ%253d%253d&i=FcTBDYAgDAXQ89_CBSQtpUXHQSmJiV5QY9ze-A4vppA0zBZYCCIRFEj_aDIVZBjmNplwbKRUyL0y81LXHDOb1pIEmyQcZX9K96F19-H09e7b9YIw8gc~&ou=aHR0cDovL3d3dy5tYWx3YXJlYnl0ZXMub3JnL2J1c2luZXNzLw==&jskey=2633417
- http://meta.7search.com/click/free_click.aspx?u=http%3a%2f%2ffiles101.com%2fiobit-malware-fighter%3fkeyword%3dmalware%2bfree%26affid%3d80446%26rid%3d13016
- Malwarebytes Anti-Malware Detection, 1/15/2015,  Malicious Website Protection,  IP,  54.213.151.196,  files101.com,  0,  Outbound
  http://block.malwarebytes.org/ "Malwarebytes Anti-Malware has blocked a potentially malicious website."
 

3. Firefox is still default browser but when viewing files In Windows Explorer, all the saved webpage files still show Internet Explorer's "e" icon/thumbnail instead of the firefox icon/thumbnail that was displayed before the hijack.

 

4. The 'Session Manager' icon that was visible next to the other addons on the firefox toolbar just under all the tabs next to the URL and Search bars, still is missing and has not appeared back yet like the other addon which appeared back in an earlier reply that I wrote.

 

Thanks and look forward to hear back from you

 

Fixlog.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware
 
Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.
 
 
 
 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

The new FRST.txt and Addition.txt log files are attached and Malwarebytes' Anti-Malware Premium updates and runs the exact scan you just said every night that I setup from the beginning which takes over 4.5 hours to complete and I'm attaching the latest scan results from this morning and it has been the same results every time with nothing detected since before starting our conversation in this thread.

 

Thanks and look forward to hear back from you

 

 

FRST.txt

Addition.txt

Malwarebytes Scan 2015_01-15.txt

Link to post
Share on other sites

  • Root Admin

Hello betterclear

I've been asked to assist you if possible. Unfortunately malware detection and removal is not without issues and clean up can certainly break things.

Please read the following which hopefully will shed some light on the issue for you.

The complexity of finding, preventing, and cleanup from malware

Go ahead and do a System Restore then if you like and we'll start over. Again though it's best that you backup data or settings you want as most of these tools will remove certain registry or file entries in an attempt to stop threats.

After you have done your system restore and are happy how things look then restart the computer one more time, then read the following and proceed as requested.

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.

If there is anything that you do not understand kindly ask before proceeding.

If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)
STEP 0

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes

so that your normal security software can then run and clean your computer of infections.

When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies

that stop us from using certain tools. When finished it will display a log file that shows the processes that were

terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot

your computer as any malware processes that are configured to start automatically will just be started again.

Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
STEP 02

Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x

When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.