Good day Team Avast, community and Analysts.
First time poster, but long time user Avast Antivirus.
My laptop has been infected with the SnapDo browser hijack.
No problem, I just went back to the browser internet options and reset the homepage to one of my liking.
I then was infected with the “aartemis” browser hijack (both on Chrome and Explorer).
I actually lived with it. By simply opening up a fresh tab, the browser would still recognize my default homepage.
Now either the browser hijack changed or I was affected by another one called “22find”.
I have now noticed a surge in unwanted pop ups such as “adchoice” “ad Options” , the Avast antivirus has been catching harmful webpages more frequently.
I noticed that some of my webpages are “not responding, RECOVER WEBPAGE” or “is not responding due to a long-running script, STOP SCRIPT”
The webpages also changes its address with a leading address:
res://ieframe.dll/acr_error.htm#xxxxxxxx.com, http://www.xxxxxxxx.com
or
http://rvzr-a.akamaihd.net/sd/dw31.html?u=http%3A%2F%2Frvzr-a.akamaihd.net%2Fsd%2Fapps%2Ffusionx%2F0.0.4.html%3Faff%3D4300-1009&p=Media%20Watch&a=&c=4300-1009&b=msie&bv=10&t1=1396037861260&tt=1396037861260&r=www.google.ca&ua=98&n=yb_fusionx&sn=&mpa=0&mp=0
The remedies that I have managed to apply:
As per topic 143608.0, I applied the AdwCleaner and Farbar Recovery Scan Tool.
I have attached the following AdwCleaner[SO].txt , FRST_27-03-2014_08-33-28.txt , Addition.txt
Without analysing the logfile, both the “aartemis” and “22find” have not reappeared.
However, the popups are still present.
Thank you, looking forward to your help.
Hi,
Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[*]Close any open browsers
[*]Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool .
Please wait for the tool to start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
createsrpoint;
gpt.ini;z
C:\Windows\System32\GroupPolicy;v
C:\Windows\SysWOW64\GroupPolicy;v
StandardSearch;
emptyfolderscheck;
installer-list;
installedprogs;
uninstall-list;
[*]Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
Hold on, Zoek will not even download…
Disable your antivirus and try again…
Thank you for the step by step…
I was going bananas, the turn off Antivirus did the trick so far.
Here attached is the zoek-results.txt
Thanks in advance.
Hi,
First of all, uninstall the following from Control Panel
Re-run zoek with this script and attach here fresh zoek log results.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
C:\Windows\System32\GroupPolicy\GPT.INI;f
C:\Windows\SysWOW64\GroupPolicy\gpt.ini;f
C:\Windows\System32\GroupPolicy\Machine;fs
C:\Windows\System32\GroupPolicy\Machine;fs
FreeHDSport TV 3;ff
afgcheiadenfajcopglckpkbljafhloh;chr
fcdfbolkieagiakglceipfkeehfkipfj;chr
mmifolfpllfdhilecpdpmemhelmanajl;chr
jpkgnchjblgnciiopegmabnakdoapgkj;chr
njljkdinboobkmkihgcohanchjnjpgjk;chr
nneajnkjbffgblleaoojgaacokifdkhm;chr
ohkfcnlkdgejpcgaejdohbcchilbcfgn;chr
bkkopbdfckkaflpjlcbkgagohbheliha;chr
ffglkdlibgllgidehamkfccldefbgenk;chr
nbdbmopeebalgaeghmjoegpkngglikgn;chr
autoclean;
emptyalltemp;
emptyclsid;
ipconfig /flushdns;b
so far so good.
As instructed, I have deleted 3 files. then perfo
attached is the Zoek-results_rerun.txt
Thanks for your prompt responses…
How is the situation now?
Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article
> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.
• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.
Notice: with some infections, you may see two messages boxes:
- ‘Could not load protection driver’. Click ‘OK’.
- ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.
>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.
>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
- When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.
> The following reports will be created in mbar folder:
- mbar-log-year-month-day (hour-minute-second).txt
- system-log.txt
Please post both logs in your next reply.
Re-run FRST, click scan and attach fresh report.
I hope this next post will not discourage you, but…
when trying to download from your MBAR hyperlink,
In the Chrome browser, i received the following message:
Oops! Google Chrome could not connect to downloads.malwarebytes.org
In IE, : This page can’t be displayed
sorry,
Thanks TwinHeadedEagle,
The new link worked for me.
here are the two files from mbar and the one rerun file from FRST.
I can see the light at the end of the tunnel, for chrome, but IE still has those darn hyperlinks and other popups.
We await your analysis.
Thank you Team Avast / TwinHeadedEagle,
I am not sure if my last MBAR attachments concludes that the malwares were eliminated, but all seems to be good now?
Both browsers on Chrome and IE are working smoothly after a reboot.
I think I should have rebooted after we did the Zoek-results_rerun.
Thank you for helping the community with your prompt and timely responses.
From the Zoek script, I realize how the malware was infected my pc.
I overlooked this topic, sorry.
Yes, your PC is clean. We only need to remove used tools.
I can recommend you this software to avoid Adware in the future:
http://unchecky.com/
Read here how it works → http://www.howtogeek.com/179758/how-to-avoid-junkware-offers-with-unchecky/
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.