Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirect virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Redirect virus

Unread postby ledzeplin101 » December 22nd, 2015, 4:06 pm

looks like I have some kind of redirect virus that Malwarebytes isn't taking care of for me. Nearly every time I type anything into the search bar, I'm taken to yahoo, even though I'm searching from Google's homepage. Nobody likes yahoo's search engine. Certain links are redirecting me as well and it's just generally hard to navigate the web. I can't say much more about the symptoms. Let me know if you can help me solve this and thank you!

Necessary files are attached.
You do not have the required permissions to view the files attached to this post.
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm
Advertisement
Register to Remove

Re: Redirect virus

Unread postby Gary R » December 24th, 2015, 1:50 am

Looking over your logs, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect virus

Unread postby Gary R » December 24th, 2015, 2:28 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi Bradley

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • As you're using Windows 10, it may be necessary to right click some of the tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Before we start removing anything, I'd like you to run a further scan for me ....

Please download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan.
  • A logfile will automatically open after the scan has finished.
  • Close the adwCleaner window, click ok to the prompt.
  • Please post the contents of that logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[R1].txt.

AT THIS POINT, DO NOT ATTEMPT TO CLEAN ANYTHING THAT MAY BE FOUND
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect virus

Unread postby ledzeplin101 » December 26th, 2015, 6:25 pm

Thanks very much for the help. In the past I've had to reinstall the OS so if it's the worst case scenario I am prepared to do so. Luckily most files are on the Hard drive and the OS is on the SSD. Log file is attached.
You do not have the required permissions to view the files attached to this post.
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm

Re: Redirect virus

Unread postby Gary R » December 26th, 2015, 7:07 pm

OK, let's take care of what I can see so far, and see where that takes us.

First ...

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

BitTorrent


Reboot your computer once it's uninstalled

Next ...

  • Double click AdwCleaner.exe to run it.
  • Click Scan and allow the scan to finish.
  • Now click Clean to remove the items found.
  • Click OK to the prompt.
  • The tool will run & your computer will be rebooted automatically. A logfile will open after the restart.
  • Post the contents of the logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[s1].txt.

Next ...

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).
Code: Select all
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3789599527-899915616-2387813075-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3321848&octid=EB_ORIGINAL_CTID&ISID=M855B0A64-EF55-4EB1-92FC-FCA6E32F3BB7&SearchSource=55&CUI=&UM=8&UP=SP4A120AC9-3B2F-425F-B603-6FCFC1576ACF&D=082615&SSPV=
CHR DefaultSearchURL: Default -> hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfQ1dWVpBFwwXbQ0IVwxcFQ1HeBRaUgwSDFAUdgwIVAgXFgBAeB9aFQQTQkcFME0FBloEURNNfX5dFW0ZRGdGM0xUFUo5VFc=&q={searchTerms}
CHR DefaultSearchKeyword: Default -> searchinterneat-a.akamaihd.net
CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHAFGeFoIVwBFDAETdgwVVQEVGRhBcwxbTFxGFwATdQheVgwSGRNBNARaAktXUUEeJ1pNER8fHHJGNG1QBGsUUkBPNEpwFFs=
2015-12-19 21:14 - 2015-12-19 21:14 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2015-12-17 22:40 - 2015-12-22 15:00 - 00000284 _____ C:\WINDOWS\Tasks\InvinciblSens54.job
2015-12-17 22:40 - 2015-12-22 00:25 - 00000294 _____ C:\WINDOWS\Tasks\OutstandLocke8.job
2015-12-17 22:40 - 2015-12-17 22:40 - 00003204 _____ C:\WINDOWS\System32\Tasks\OutstandLocke8
2015-12-17 22:40 - 2015-12-17 22:40 - 00003196 _____ C:\WINDOWS\System32\Tasks\InvinciblSens54
2015-12-17 22:39 - 2015-12-21 14:01 - 00000000 ____D C:\Users\Bradley\AppData\Local\PlatinDivis423
2015-12-17 22:39 - 2015-12-21 14:01 - 00000000 ____D C:\Users\Bradley\AppData\Local\JumpstaServ370
2015-12-14 17:03 - 2015-12-19 13:50 - 00000000 ____D C:\Users\Bradley\AppData\LocalLow\BitTorrent
BitTorrent (HKU\S-1-5-21-3789599527-899915616-2387813075-1000\...\BitTorrent) (Version: 7.9.5.41373 - BitTorrent Inc.)
Task: {34CF499F-B9FB-4F9E-8CBC-B627B1B2D828} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {3ADD65DF-4154-4834-985F-28095E80C34B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {3E93385C-5FD5-4670-B619-0D286600B505} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {602891C6-8DEC-4DCF-AE51-A6824BD2C9F0} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {61C4299B-8D34-4BFD-95DA-3028663B624D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {7A2542A0-1FD8-4E5A-BEF6-C014F39CC4F3} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {95D2278A-7FDA-4AB1-9EEF-05AA4574AE22} - \UpdateAdmin -> No File <==== ATTENTION
Task: {9846E7D7-8A4B-40A9-90EE-6B76963C76B7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {98B8EB75-FF5C-4FB7-BDBB-DC44A01AB954} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {9D388FA0-001B-4F36-B2B4-BB809E91D4A4} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A6C58837-DA99-4A7E-8009-570522F3B4BF} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {F5969DDF-303D-4E54-BEDA-211034E8998C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\InvinciblSens54.job => C:\Users\Bradley\AppData\Local\JUMPST~1\Jupromote.exe
Task: C:\WINDOWS\Tasks\OutstandLocke8.job => C:\Users\Bradley\AppData\Local\JumpstaServ370\Judelete.exe
C:\Users\Bradley\AppData\Local\JUMPST~1\Jupromote.exe
C:\Users\Bradley\AppData\Local\JumpstaServ370\Judelete.exe
FirewallRules: [{33EA5EBE-B638-440A-BE9E-5DF0039174E7}] => (Allow) C:\Users\Bradley\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{2B61F128-5A03-46D5-B1A0-E3665AD3C539}] => (Allow) C:\Users\Bradley\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{7C0CA26E-F51A-41ED-A0BB-24C03466702F}] => (Allow) C:\Users\Bradley\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{E0BA8369-C9AB-4054-8FE7-90036061FD9C}] => (Allow) C:\Users\Bradley\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{AF0F2A69-2D96-4D8E-A46A-FB39B8C7310B}] => (Allow) C:\Users\Bradley\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{6220987A-3302-40D8-8B7C-5D4AC8F6ADA7}] => (Allow) C:\Users\Bradley\AppData\Roaming\BitTorrent\BitTorrent.exe
EmptyTemp:
Hosts:
Cmd: ipconfig /flushdns

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Summary of the logs I need from you in your next post:
  • ADWCleaner log
  • Fixlog.txt
  • Please let me know how your computer is behaving now.


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect virus

Unread postby ledzeplin101 » December 26th, 2015, 7:36 pm

Hope I got it right. Thanks again.
You do not have the required permissions to view the files attached to this post.
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm

Re: Redirect virus

Unread postby Gary R » December 27th, 2015, 4:59 am

How's your computer behaving now, are you still being re-directed ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect virus

Unread postby ledzeplin101 » December 27th, 2015, 1:31 pm

Yes unfortunately. Malwarebytes actually blocks these sites so half the time I do a google search It goes straight to a screen that says "Malwarebytes has blocked a potentially malicious website." I was about to uninstall malwarebytes since this doesn't really help me at this point.
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm

Re: Redirect virus

Unread postby ledzeplin101 » December 27th, 2015, 1:34 pm

I uninstalled malwarebytes and as before it takes me to Yahoo even though I have google as my default search engine.
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm

Re: Redirect virus

Unread postby Gary R » December 27th, 2015, 7:12 pm

OK, please run a new scan for me with FRST and post me your new Frst.txt and Addition.txt logs.

If FRST asks to update to a new version when you run the scan, please let it update.

Next ....

When the FRST scan has finished, I want you to run a search for me using FRST ....

  • Double click Frst64.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Copy/Paste or Type the following line into the Search: box.
    Fun4IM;Bandoo;Searchnu;Searchqu;iLivid;whitesmoke;datamngr;kelkoopartners;trolltech;babylon;conduit;trovi;clientconnect;yahoo

    • Press the Search Registry button.
    • When finished searching a log will open on your Desktop ... Search.txt
    • Please post it in your next reply.

Questions ....

  • Which browser are you using when your searches get re-directed ?
  • If you use another browser do you still get re-directed ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect virus

Unread postby ledzeplin101 » December 27th, 2015, 9:53 pm

I use google chrome. Microsoft Edge seems to work normally without redirecting me however.
You do not have the required permissions to view the files attached to this post.
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm

Re: Redirect virus

Unread postby Gary R » December 28th, 2015, 2:54 am

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).
Code: Select all
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
Reg: Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\LogonCache\D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F\Name2Sid\042cacdf2300b099d8be154be7635172aedb10e99caf79c0c9bde03c2410a5ad" /v "IdentityName" /f
Reg: Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\LogonCache\D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F\Name2Sid\042cacdf2300b099d8be154be7635172aedb10e99caf79c0c9bde03c2410a5ad" /v "IdentityName" /f
Reg: Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Razer\Synapse\Analytics" /v "CurrentUser" /f
[-HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\ledzeplin101@yahoo.com]
Reg: Reg delete "HKEY_USERS\S-1-5-21-3789599527-899915616-2387813075-1000\SOFTWARE\Microsoft\ActiveSync\Partners\{0C4038CC-5C89-4CCF-8C70-C87FBA04C20C}" /v "Email" /f
[-HKEY_USERS\S-1-5-21-3789599527-899915616-2387813075-1000\SOFTWARE\Microsoft\IdentityCRL\UserExtendedProperties\ledzeplin101@yahoo.com]
[-HKEY_USERS\S-1-5-21-3789599527-899915616-2387813075-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\yahoo.com]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\IdentityCRL\StoredIdentities\ledzeplin101@yahoo.com]

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

If you're still being re-directed after this, please do the following ....

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Google Chrome


When doing so, select the Also delete your browsing data checkbox.

Now reboot your computer (this is important as only on reboot will any "malicious" modifications to Chrome be removed).

Once re-booted ....

Download and install a new clean version of Google Chrome ... https://www.google.com/intl/en/chrome/b ... index.html ... then see if you are still being re-directed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Redirect virus

Unread postby ledzeplin101 » December 28th, 2015, 1:31 pm

Here you go. I'll let you know if it worked.
You do not have the required permissions to view the files attached to this post.
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm

Re: Redirect virus

Unread postby ledzeplin101 » December 28th, 2015, 1:38 pm

It works! I am no longer being redirected and Chrome works as before. Thanks so much for your help. Is there anything else I have to do?
ledzeplin101
Active Member
 
Posts: 10
Joined: December 21st, 2015, 11:33 pm

Re: Redirect virus

Unread postby Gary R » December 28th, 2015, 6:08 pm

Glad to hear we found the cause of the re-directs.

So what we need to do now is a little tidying up, and then we're finished.

  • Please download delfix and save it to your desktop.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Check the following boxes ...
    • Remove disinfection tools

    ... then click on Run.
  • Once it has finished, a notepad file named DelFix.txt will open. Post the contents of this notepad in your next reply.
  • The log can also be located at the root of the system drive, C:\DelFix.txt.

  • If you have any remaining problems please let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware