Browser Hijacked

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ero_senin05, Dec 13, 2014.

  1. ero_senin05

    ero_senin05 Private E-2

    Hi,

    I'm visiting my brother and am trying to help him sort out his computer issues. They've been using IE and have had a series of different things effect their internet browsing, first of which was a homepage hijack by isearch.omega-plus - easily fixed by removing the add-on, uninstalling the program and resetting the internet options.

    He also had an issue with pop-ups. At seemingly random moments a click anywhere on a page would raise a pop-up. This was also happening to Google Chrome after installing it.

    The last issue was that whenever a browser (IE or Chrome) was opened, or a new tab opened within a browser, the home page would load and immediately be hijacked by a page with a black banner across the top with "A Message from our Sponsor: redirecting you shortly" and on some occasions, but not all, a countdown from 30 would be present next to it. Below the Black banner a video would load showing advertising and in most cases after the video had finished you would return to the home page. Sometimes it would just stay on that page without a video indefinitely until you pressed refresh and start the process over again.

    Since running through the Malware removal guide, all of this seems to have stopped. I have attached all the logs from the process.

    MGlogs will follow in next post

    The computers specs are:
    ASUS M11AD
    bios:0302
    OS: Windows 8.1 64bit
    CPU: Intel i3-4130T
    RAM: 4GB

    Can someone please let me know if there is anything else within these logs which we need to action to liberate this pc?
     

    Attached Files:

  2. ero_senin05

    ero_senin05 Private E-2

    And MGlogs attached
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing much in the way of malware. You need to rerun MBAM and have it fix all it finds. Then rerun Hitman and have it fix the "Malware Remnants".

    Use windows explorer to find and delete:
    C:\WINDOWS\system32\tasks\ProPCCleaner_Popup
    C:\WINDOWS\system32\tasks\ProPCCleaner_Star

    Tell me what issues you are still having, if any.
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Tim what about what RogueKiller is finding? Some of that needs fixing too. :)

    And from newfiles.log:

    C:\Program Files (x86)\0ca45c95134d
    C:\WINDOWS\SysNative\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
    C:\WINDOWS\SysNative\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat


    Couple scheduled tasks I'd double check too....
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go ahead and rerun RogueKiller and have it fix these items:

    Code:
    ht¤¤¤ Files : 1 ¤¤¤
    [Suspicious.Path?Suspicious.Startup][File] PowerReg Scheduler V3.exe -- C:\Users\Sunni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe -> Found
    
    ¤¤¤ Web browsers : 1 ¤¤¤
    [PUM.HomePage][FIREFX:Config] 2pzng8xd.default : user_pref("browser.startup.homepage", "http://isearch.omiga-plus.com/?type=hp&ts=1417923405&from=air&uid=TOSHIBAXDT01ACA100_93ESL0YJSXX93ESL0YJSX"); -> Found
    
    ¤¤¤ Registry : 22 ¤¤¤
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CltMngSvc (C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IePluginServices (C:\ProgramData\IePluginServices\PluginService.exe -service) -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UniversalUpdater (C:\Program Files (x86)\0ca45c95134d\cf3e08d747e4.exe) -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WindowsMangerProtect (C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -service) -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CltMngSvc (C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IePluginServices (C:\ProgramData\IePluginServices\PluginService.exe -service) -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UniversalUpdater (C:\Program Files (x86)\0ca45c95134d\cf3e08d747e4.exe) -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WindowsMangerProtect (C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -service) -> Found
    [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://isearch.omiga-plus.com/?type=hp&ts=1417923405&from=air&uid=TOSHIBAXDT01ACA100_93ESL0YJSXX93ESL0YJSX  -> Found
    [PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://isearch.omiga-plus.com/?type=hp&ts=1417923405&from=air&uid=TOSHIBAXDT01ACA100_93ESL0YJSXX93ESL0YJSX  -> Found
    [PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://isearch.omiga-plus.com/web/?type=ds&ts=1417923405&from=air&uid=TOSHIBAXDT01ACA100_93ESL0YJSXX93ESL0YJSX&q={searchTerms}  -> Found
    [PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://isearch.omiga-plus.com/web/?type=ds&ts=1417923405&from=air&uid=TOSHIBAXDT01ACA100_93ESL0YJSXX93ESL0YJSX&q={searchTerms}  -> Found
    When done, reboot and rescan with RogueKiller and attach a new log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds