Redirection... Wonderlandads

Hi there.

I am reviewing your logs now, and will get back to you with a response asap.

 

Which browser(s) does redirection occur in? Does it affect BOTH laptops when browsing?


FreeFixer <<< Uninstall this


Fix item using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Files tab and locate this detection (if found):

• 
  
• [PUP][Folder] C:\Program Files\FreeFixer -> Found

Place a checkmark next to this item, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.


Download OTL to your desktop.

We need to run an OTL Fix

• Right-click OTL.exe to run it as admin. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:files
C:\Users\Shreyas Sriram\AppData\Local\FreeFixer
C:\Users\Shreyas Sriram\AppData\Roaming\FreeFixer
C:\Program Files\FreeFixer

:reg
[-HKU\S-1-5-21-12704876-3556393682-3166656172-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{7F6AFBF1-E065-4627-A2FD-810366367D01}]
[-HKU\S-1-5-21-12704876-3556393682-3166656172-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}]

:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

Delete this old version you have of MGTools:
C:\MGtools.exe


Could you please get this: 006C17FA.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

[QOUTE]%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" C:\Windows\System32\drivers\006C17FA.sys[/QUOTE]

log retrievable @ C:\collect.zip


Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message as well as other requested logs.

 

Just to clarify...you are only getting redirected in the Google Chrome Browser?
Yes you will have to follow these steps on the other laptop too but let's get this finished first.
I do not know what to tell you about the ipad, we do not deal with removing malware from such devices.

 

I think you should check the status of other browsers you may use too.
If the redirection comes back, just let me know and I'll give you more instructions to follow.

 

Most welcome.

 

How are you getting on, ramsi_ece?

 

Happy New Year!

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

OK, there's a little bit to do after seeing those logs but not much... before we go any further would you please explain to me about other browsers besides Google Chrome..... do they also redirect?

Try this below and let me know if it helped for Google Chrome...

Reset Google Chrome to defaults

 

Hi there.

FreeFixer <<< Uninstall this.

Installed Bria Professional <<< What is this?

Please follow the instructions here to reset your host file.
Choose easy fix option: >>> https://support.microsoft.com/en-gb/kb/972034 <<<

I'd like you to power cycle the router:
To power cycle (reboot) your modem/router, please follow these steps: Switch off and unplug the power from your modem/router. Leave both unplugged for 30 seconds. Plug the power back into the modem/router and verify that you are again connected to the Internet.


Next....
NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.
Download Fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• 
  
  
  • Fixlog.txt
  • MGlogs.zip
  • EXPLAIN how things are running

 

Please download Combofix to your desktop. Please refer to these instructions prior to running. Upload log once done.

 

Hi there,

OK, I want you to follow these instructions to reset Internet Explorer:
Reset Internet Explorer 9, 10, and 11 to Defaults

Now I want you to uninstall Google Chrome and Google Update Helper using Revo Uninstaller

Now do this.... Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

You were only asked to uninstall it. Other cleanup has to be performed first before it is reinstalled otherwise your cleanup is incomplete and you Chrome installation will remain infected.

So please repeat ALL of the previous instructions and attach the new log.

 

Delete these:

C:\Users\Shreyas Sriram\AppData\Roaming\Google
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-12704876-3556393682-3166656172-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-12704876-3556393682-3166656172-1000UA.job

Also make sure to delete shortcuts you may have for IE and Chrome.


Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Reboot the machine... reinstall Google Chrome. Now let me know if both that and IE are still redirecting.

 

@Kestrel13!,

You are forgetting to removing shortcut links and other folders for Chrome. And you should have provided a fix to make sure all folders for all user accounts were actually properly deleted and then double check to make sure they were truly deleted. Chrome should not be reinstalled yet. It should remain uninstalled until you get IE to work by itself.

If you cannot get IE to work by itself then it is worth trying a public domain/free DNS server like OpenDNS to see if the problem is embedded in the users DNS server.

Also I suggest removing the below files which keep multiplying

Code:

"C:\Windows\System32\drivers\"
006c17fa.sys  Dec  6 2015      170200  "006C17FA.sys"
076a6cab.sys  Dec 22 2015      170200  "076A6CAB.sys"
0d523ded.sys  Jan  8 2016      170200  "0D523DED.sys"
1c4461fa.sys  Dec 31 2015      170200  "1C4461FA.sys"
20de3adb.sys  Dec 11 2015      170200  "20DE3ADB.sys"
29bd1147.sys  Dec 16 2015      170200  "29BD1147.sys"
4f1c536f.sys  Jan  4 2016      170200  "4F1C536F.sys"
58343cbc.sys  Dec 15 2015      170200  "58343CBC.sys"
607f7aaf.sys  Jan  2 2016      170200  "607F7AAF.sys"
63a17302.sys  Dec 14 2015      170200  "63A17302.sys"
65b31da6.sys  Jan  7 2016      170200  "65B31DA6.sys"
65b51668.sys  Jan  1 2016      170200  "65B51668.sys"
68453d4d.sys  Jan 12 2016      170200  "68453D4D.sys"
747b6f96.sys  Dec 23 2015      170200  "747B6F96.sys"
79e94377.sys  Dec 20 2015      170200  "79E94377.sys

And also delete the below ( USE FIXES ) not manual users remove type requests!!!
C:\Users\Shreyas Sriram\AppData\Local\temp\goopdate.dll9d1ee

And also uninstall the below and get Java updated:

Java 7 Update 9
Java Auto Updater
Java(TM) 6 Update 12
Java(TM) 6 Update 32

 

Uninstall the below using Revo Uninstaller:

• Google Chrome
• Google Update Helper
• Java 7 Update 9
• Java Auto Updater
• Java(TM) 6 Update 12
• Java(TM) 6 Update 32

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
C:\Windows\System32\drivers\006C17FA.sys
C:\Windows\System32\drivers\076A6CAB.sys
C:\Windows\System32\drivers\0D523DED.sys
C:\Windows\System32\drivers\1C4461FA.sys
C:\Windows\System32\drivers\20DE3ADB.sys
C:\Windows\System32\drivers\29BD1147.sys
C:\Windows\System32\drivers\4F1C536F.sys
C:\Windows\System32\drivers\58343CBC.sys
C:\Windows\System32\drivers\607F7AAF.sys
C:\Windows\System32\drivers\63A17302.sys
C:\Windows\System32\drivers\65B31DA6.sys
C:\Windows\System32\drivers\65B51668.sys
C:\Windows\System32\drivers\68453D4D.sys
C:\Windows\System32\drivers\747B6F96.sys
C:\Windows\System32\drivers\79E94377.sys
C:\Users\Shreyas Sriram\AppData\Local\temp\goopdate.dll9d1ee
:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Install the latest Java: http://www.majorgeeks.com/files/details/sun_java_runtime_environment_6.html


Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

I suggest also running SystemLook to check both the registry and files for Google and Chrome

 

SystemLook

Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
Download 32 Bit
Download 64 Bit

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  Google 
  Chrome
  :regfind
  Google
  Chrome

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Just run the steps that I laid out for you, don't worry about not finding Google Update Helper, I will get that out on the next fix.

 

Hmmm! This seems to imply what I was saying before about a DNS issue.

When you say "in all the devices connected", what exactly do you mean?

 

Okay then you need to look into your DNS settings because this implies the problem is at your network level. So either your router is infected or the DNS server that you are set to use ( which applies to anything you connect to your network ) is the cause of the problem. You should try setting up a free DNS connection like with OpenDNS for one example. See the below link:

http://www.howtogeek.com/201312/how-to-use-opendns-on-your-router-pc-tablet-or-smartphone/

If that does not help then the problem may be in your router.

 

Yes that's correct.

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • 
      How to Protect yourself from malware!