MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 07-06-13, 10:07
bryanousa bryanousa is offline
Private E-2
 
Join Date: Feb 2011
Posts: 23
Thanks: 4
Thanked 0 Times in 0 Posts
Default V9 portal redirect browsers

Hello, apparently we have an infection where V9 portal is redirecting all traffic on chrome and internet explorer.
This is only happening on the newest (6 month old Dell, Win 8).
So far the other 2 desktops and 2 laptops are unaffected.
I have run the preliminary checks as instructed.
Logs attached.
thanks in advance for your help.
Bryan
Attached Files
File Type: txt TDSSKiller.2.8.16.0_06.07.2013_08.30.20_log.txt (140.6 KB, 2 views)
File Type: txt RKreport[0]_S_07062013_081816.txt (2.4 KB, 3 views)
File Type: zip MGlogs.zip (223.7 KB, 3 views)
File Type: txt MBRCheck_07.06.13_09.22.11.txt (12.9 KB, 1 views)
File Type: log HitmanPro_20130706_0845.log (4.9 KB, 5 views)
Reply With Quote
Sponsored links
  #2  
Old 07-06-13, 14:00
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,617 Times in 4,102 Posts
Default Re: V9 portal redirect browsers

Welcome to Major Geeks!

Please put copies of the below three files into a ZIP file and attach this ZIP to your next message.
Quote:
C:\Users\Charlotte\Desktop\firefox.lnk
C:\Users\Charlotte\Desktop\Google Chrome.lnk
C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

Also Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.v9.com/?utm_source=b&utm_m...&ts=1372683399
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.v9.com/?utm_source=b&utm_m...&ts=1372683399
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.v9.com/?utm_source=b&utm_m...&ts=1372683399
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.v9.com/?utm_source=b&utm_m...&ts=1372683399
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-results.com/sr?src...q={searchTerms}
O4 - HKUS\S-1-5-21-1696883205-2974743405-3413143149-1004\..\Run: [SearchProtect] C:\Users\bryan_000\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'bryan_000')
O20 - AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\mgrldr.dll

After clicking Fix, exit HJT.


Please download OTM by Old Timer and save it to your Desktop.
  • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
  • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
    (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
    the code box
Code:
:Processes
explorer.exe
 
:Files
C:\PROGRA~2\SEARCH~1\Datamngr
C:\PROGRA~2\SEARCH~1
C:\Users\bryan_000\AppData\Roaming\SearchProtect
C:\Users\Charlotte\Documents\Downloads\setup (2).exe
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Datamngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_USERS\S-1-5-21-1696883205-2974743405-3413143149-1001\Software\DataMngr_Toolbar]
[-HKEY_USERS\S-1-5-21-1696883205-2974743405-3413143149-1001\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKEY_USERS\S-1-5-21-1696883205-2974743405-3413143149-1001\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_USERS\S-1-5-21-1696883205-2974743405-3413143149-1001\Software\Softonic]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{C51BC33F-30DB-4B46-BD58-E6A74B18EA5F}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"Backup.Old.DefaultScope"="{E31DFA64-D7CE-4A82-A279-78686BEFF6E3}"
"DefaultScope"="{E31DFA64-D7CE-4A82-A279-78686BEFF6E3}"[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B79526FC-0C95-4C94-8D4E-083659720571}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
    ) and choose Paste.
  • Now click the large button.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.
Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Attach JRT.txt to your next message.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


Then attach the below logs:
  • the C:\_OTM\MovedFiles log
  • the JRT.TXTlog
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 07-06-13 at 14:10..
Reply With Quote
  #3  
Old 07-06-13, 18:05
bryanousa bryanousa is offline
Private E-2
 
Join Date: Feb 2011
Posts: 23
Thanks: 4
Thanked 0 Times in 0 Posts
Default Re: V9 portal redirect browsers

Thanks for the quick response!
The redirects are better already.
Attached are the zip files you requested plus all latest log files.

Note: Two of the lines listed for the HJT fix were not found, so I fixed the ones that I could.
Attached Files
File Type: zip firefox.zip (1.1 KB, 2 views)
File Type: zip Google Chrome.zip (1,015 Bytes, 3 views)
File Type: txt JRT.txt (3.3 KB, 2 views)
File Type: zip MGlogs.zip (217.5 KB, 1 views)
File Type: log 07062013_171756.log (17.6 KB, 3 views)
Reply With Quote
  #4  
Old 07-06-13, 20:05
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,617 Times in 4,102 Posts
Default Re: V9 portal redirect browsers

Okay we have a little more to remove.
Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
  • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
    (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
    the code box
Code:
:Processes
explorer.exe
:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{E31DFA64-D7CE-4A82-A279-78686BEFF6E3}"
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
    ) and choose Paste.
  • Now click the large button.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.
Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • the C:\_OTM\MovedFiles log
  • C:\MGlogs.zip
[B]Make sure you tell me how things are working now![/
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 07-06-13, 20:55
bryanousa bryanousa is offline
Private E-2
 
Join Date: Feb 2011
Posts: 23
Thanks: 4
Thanked 0 Times in 0 Posts
Default Re: V9 portal redirect browsers

Latest log files attached.
Update:
IE opens to Google.com now; Google chrome, however, still opens to:
en.v9.com.
Should I just uninstall Chrome & reinstall?
(This is my usual browser.)

thanks again
Attached Files
File Type: zip MGlogs.zip (216.9 KB, 0 views)
File Type: log 07062013_203533.log (6.2 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 07-07-13, 15:20
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,617 Times in 4,102 Posts
Default Re: V9 portal redirect browsers

Quote:
Originally Posted by bryanousa View Post
IE opens to Google.com now; Google chrome, however, still opens to:
en.v9.com.
Should I just uninstall Chrome & reinstall?
Yes this is sometimes best, but you could first try looking under Settings ( which is under the Customize and control Google Chrome icon - the 3 bars to the top right ) and then under Settings see the Manage Search Engines button. If V9 appears here you can click it and then click the X to delete it.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 07-07-13, 16:01
bryanousa bryanousa is offline
Private E-2
 
Join Date: Feb 2011
Posts: 23
Thanks: 4
Thanked 0 Times in 0 Posts
Default Re: V9 portal redirect browsers

Quote:
Originally Posted by chaslang View Post
Yes this is sometimes best, but you could first try looking under Settings ( which is under the Customize and control Google Chrome icon - the 3 bars to the top right ) and then under Settings see the Manage Search Engines button. If V9 appears here you can click it and then click the X to delete it.
I had deleted it in Settings, but found the culprit: The desktop icon was still targeting V9...
Now both IE and Chrome open to my settings.
thank you.
B
Reply With Quote
  #8  
Old 07-07-13, 16:02
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,617 Times in 4,102 Posts
Default Re: V9 portal redirect browsers

You're welcome. Glad to hear you fix it.


If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
  2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
  3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
  4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
    • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
    • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
    • Then we want you to Enable System Restore to create a new clean Restore Point.
  8. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 07-07-13, 17:10
bryanousa bryanousa is offline
Private E-2
 
Join Date: Feb 2011
Posts: 23
Thanks: 4
Thanked 0 Times in 0 Posts
Default Re: V9 portal redirect browsers

Cleanup complete.
Note: System restore is much different in Windows 8 than the directions shown, so I am attaching the steps I followed, along with screen shots.

Thanks again for all the help!

Bryan
Attached Files
File Type: zip win8 system restore.zip (627.3 KB, 2 views)
Reply With Quote
  #10  
Old 07-09-13, 01:49
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,617 Times in 4,102 Posts
Default Re: V9 portal redirect browsers

You're welcome.

Yes thanks for reminding me. I will have to get that link that includes how to toggle system restore for all Windows versions updated to include Win 8. In the meantime, I have made a procedure that illustrates all the steps to be used. Many people cannot even figure out how to get to control panel in Win 8 let alone anything else. See the below which should make is easy:

Win 8 System Restore - How to enable/disable
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Google redirect - all browsers, only one PC bcushman Malware Removal 26 11-21-11 13:37
Redirect Malware in All web browsers PraiseB2God Malware Removal 8 09-16-11 13:20
Redirect in all browsers JoshSesco Malware Removal 6 07-24-11 21:24
Google Redirect on all Browsers chorath Malware Removal 7 07-24-11 12:57
portal browsers red death68 Software 7 01-27-11 14:17


All times are GMT -5. The time now is 08:48.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger