Redirecting Virus/malware

Okay, now I understand much better how you are connected. I still have to wonder if this is some how the source of your problem.

Now this explains why GetLogs.bat was not able to complete. Some scan you ran ( maybe your antivirus ) deleted the process.exe file from the MGtools folder and basically broke the ability to run some of the batch file scripts thru to completion. It broke some time after 12/21. SN64.bat is one of the ones that is broken, and this will also cause GetLogs.bat to abort.

Let's re-download the current version of MGtools and save it to your Desktop folder. Overwrite any previous MGtools.exe file with this one. Make sure UAC is still disabled.

Now right click on MGtools.exe and select Run As Administrator

Now attach the below logs:

• C:\MGlogs.zip

 

Okay there a still a few left overs from your security programs to cleanup. So we will removed them below.

Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
IObit Uninstaller

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://unstopp.me/wpad.dat?c6cac71727ca5cf4d753799f316c34d22634289
O4 - HKUS\S-1-5-18\..\Run: [Advanced SystemCare 5] "D:\Advanced SystemCare 5\ASCTray.exe" /AutoStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Advanced SystemCare 5] "D:\Advanced SystemCare 5\ASCTray.exe" /AutoStart (User 'Default user')
O23 - Service: SAS Core Service (!SASCORE) - Unknown owner - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (file missing)
O23 - Service: LiveUpdate (LiveUpdateSvc) - IObit - C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
O23 - Service: ZAM Controller Service (ZAMSvc) - Unknown owner - (no file)

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe


:Services
!SASCORE
LiveUpdateSvc
ZAMSvc

:Files
C:\Program Files (x86)\Mozilla Firefox
C:\Users\Marius\AppData\Roaming\Mozilla
C:\Program Files (x86)\Google
C:\Windows\system32\tasks\AVAST Software
C:\ProgramData\IObit
C:\ProgramData\ProductData
C:\ProgramData\SUPERAntiSpyware.com
C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98}
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
C:\Program Files (x86)\IObit
C:\Program Files (x86)\Common Files\IObit
C:\Windows\TEMP\*.*
C:\Users\Marius\AppData\Local\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 5"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

If you are still having issues now then I suspect that it is related to how you connect to the internet and not due to malware as your logs have been basically clean for some time now. I would suggest seeing if you can run your PC from a friend's home without using the usb device that you use ( that is use a direct connection ) and see if you have problems or not.

 

It may be more in the software that you are using to connect and not the USB stick itself but I have never seen anyone else using such a device to connect so I cannot say with any certainty whether the USB stick could get infected. It does not seem like it though since this redirection issues you are having do not occur that often.

It is still possible that it is related to websites that you access or some other software you are running. Things like uTorrent, BitRaider, VoipDiscount...etc will always be areas of concern. Also your are going thru some pathways and a DNS server of the company providing your service and that could still be the cause. This was why I wanted you not to use it at all by using a wired connection from a friend's home to see if you still had a problem.

And if the problem is related to how you connect to the internet or software that you run then any benefit of formatting and reinstalling may be short lived.

 

You're welcome. But since we have removed your protection and it is going to take a long time, you should reinstall your antivirus program now. But I recommend not reinstalling any of the IObit stuff or SUPERAntiSpyware for now.

 

It is possible that while in your friends house that your PC is using the same DNS settings as back at your home and this could be a cause of the redirects. If you are still at your friends, please get a new log from MGtools while connected to your friends network.

 

Okay the DNS server does not appear to be the problem because no you are using your friends.

I do see something in your last logs that could be causing something like a proxy setup. Let run FRST again. Please follow the below and redownload because I want to make sure that you get the latest version.

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply if a new one is created.

 

Download the fixlist.txt file attached at the bottom of this message.

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Well the main item we wanted to remove was the below line:

AutoConfigURL: [S-1-5-21-1835656468-3318369441-1907965888-1001] => hxxp://unstopp.me/wpad.dat?c6cac71727ca5cf4d753799f316c34d22634289

And FRST said it removed it but after your reboot and rescan it is back again. This leads me to believe it is being added by some piece of software you are running.
I cannot say exactly what but all of the below would be on my suspect list even the item you use to connect:

C:\Users\Marius\AppData\Roaming\Spotify\SpotifyWebHelper.exe
C:\Users\Marius\AppData\Local\Akamai\netsession_win.exe
D:\VoipDiscount\voipdiscount.exe
C:\Users\Marius\AppData\Roaming\Spotify\Spotify.exe
C:\Program Files (x86)\Telenor\Mobilt bredbånd\Mobilt bredbånd.exe
C:\Users\Marius\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe
C:\programdata\bitraider\BRSptSvc.exe
C:\Program Files (x86)\Telenor\Mobilt bredbånd\Sesam\BIN\SecMIPService.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Tunngle\TnglCtrl.exe


While thinking about all the above, also please do the below just in case the issue is not related to any of the above. I believe there have been several types of AutoConfigURL infections around that can be very good at hiding themselves and no scanners find them.

Also, please download SystemLook_x64 from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  unstopp.me
  wpad.dat
  :filefind
  settings.ini
  unstopp.me
  wpad.dat
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

Sorry for the delay!

I did not ask you to delete any files! I had mad a suggestion of possible things to look at the may possibly explain where this AutoConfigURL is coming from. If you actually succeeded in delete some of those files you may have broken those programs.

Run OTM.exe by using right click and select Run As Administrator:

• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
• Make sure that you scroll all the way to the bottom of the code box to get the whole fix!

Code:

:Processes
explorer.exe


:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NlaSvc\Parameters\Internet\ManualProxies]
@=-
[HKEY_USERS\S-1-5-21-1835656468-3318369441-1907965888-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7, Win8 or Win10, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Hmmm! That AutoConfigURL came right back. Still seems like it may be related to something you have installed on your PC or to your ISP. I see the below link reports that it is from Netherlands:

http://urlquery.net/report.php?id=1454487130481

Let's try a few new scans to see if anything else comes up.

ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found in the below link:

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


*Click this link to open ESET OnlineScan.
* Place a checkmark next to "Yes, I accept the Terms of Use", then click the http://www.bleepstatic.com/fhost/uploads/4/greenstart.png button.
* When prompted allow the Add-On/Active X to install.
* In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
* Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):

• Remove found threats
• Scan archives
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology

*Then click the http://www.bleepstatic.com/fhost/uploads/4/shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
*When the scan completes, click List Found Threats (only if anything is found).
*Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Attach this report to your next reply.
*Click http://www.bleepstatic.com/fhost/uploads/4/back.png, then click http://www.bleepstatic.com/fhost/uploads/4/finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!


Now please download ZHPcleaner to your desktop.

• Double click on ZHPCleaner to run the tool.
• If you are using Windows Vista, 7, 8, or 10; instead of double-clicking, right-mouse click on ZHPCleaner and select "Run as Administrator".
• Please click http://i1214.photobucket.com/albums/cc497/olgun52/Ashampoo_Snap_20140819_13h09m50s_001__zps96d58678.png
• Then press ''Repair'' button.
• Browsers will automatically shut down.
• A logfile will automatically open after the scan has finished.
• Please attach the logfile to your next reply.

Make sure that your antivirus is still disabled. If you forgot to do this earlier or it reeneabled do to a reboot, see the below to disable it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

• Please download ZOEK and save it to your desktop (preferred version is the *.exe one - upper left corner).

http://hijackthis.nl/smeenk/

• Attached to the bottom of this message you will find a file called zoekscript.txt
  
• Download it too and save to your desktop - _it needs to be in the same location as the ZOEK tool
• Drag zoekscript file and drop it onto ZOEK icon - this should launch the program:
• The scan may take a while and may need a reboot.
• Upon completion a file zoek-results should appear.
• Attach it to your next reply.

 

Sorry about that. I will attach it now to the bottom of this message. Please run it now.

They are what you have in your DNS Server settings. And they appear to be what you use for an ISP

Code:

IP Address 193.212.112.4
Host 4.112.212.193.static.cust.telenor.com
Location: NO, Norway
City -, - -
Organization Telenor Norge AS
ISP Telenor Norge AS 

Code:

IP Address 130.67.15.198
Host ns11.e.nsc.no
Location: NO, Norway
City Våle, 17 -
Organization Telenor Norge AS

Also after running Zoek, please run the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7, Win8 or Win10, don't double click, use right click and select Run As Administrator).
Then attach the below logs:

• C:\MGlogs.zip

It is really looking more and more like this is not due to malware but rather due to settings in software or hardware or software you run on your PC!

 

Read or all of the below instructions and save them to a notepad file or print so that you can do this while ALL browser windows are closed!!!!

Right click on the C:\MGtools\analyse.exe file and select Run As Administrator. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now this is important!!!


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://unstopp.me/wpad.dat?c6cac71727ca5cf4d753799f316c34d22634289
O4 - HKCU\..\Run: [VoipDiscount] "D:\VoipDiscount\voipdiscount.exe" -nosplash -minimized


After clicking Fix, exit HJT.

Now I want you to rerun C:\MGtools\analyse.exe using Run As Administrator again. Are the above two lines gone or did they come back?

 

With Opera?

How about with Internet Explorer?

 

Well at this point I'm not sure that we can help you any further on this. It does not appear to be related to any malware on you PC especially if the unstopp.me/wpad.dat was gone and you still had a problem. I suspect that there is some software you are running that is causing this.

 

You're welcome.

Since you are not having malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
8. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!