Browser Redirecting to unwanted websites

Hi
My machine has been infected by some adware. It redirects to other websites after a link is opened. Initially it was redirecting through tradexchange.com but it has gradually become more sophisticated and now redirects in the same tab itself. If i try to connect any mobile device through my PC browsing is hijacked there too and a prompt opens in mobile browser directing to install some app from play store. It is also modifying modem setting because modem ui does not open unless it is reset again.
Please find the attachment and Thanks in Advance

Did you install this : Connectify Hotspot

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2016-03-31 22:33 - 2016-03-31 22:33 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetectionC650EF95-39A1-4C3E-BF2E-AA9365241BF0 2016-03-31 21:42 - 2016-03-31 21:42 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection1735D568-EC85-4110-B165-9F2371461C42 2016-03-31 20:42 - 2016-03-31 20:42 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection24391CB3-440A-4462-94A9-405D58C63533 2016-03-31 20:20 - 2016-03-31 20:20 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection32F32607-EA7F-4121-96A8-5770EAF9B83A 2016-03-31 19:50 - 2016-03-31 19:50 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetectionECF87DE6-242F-47C1-9E1C-77D7E6E5930B 2016-03-31 19:34 - 2016-03-31 19:34 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection3B1C3EA6-914A-45DD-A2E3-2D6047A034EA 2016-04-08 23:33 - 2016-04-08 23:33 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetectionF694676F-70F3-432F-B0DF-AF010CFEACCC 2016-03-30 12:07 - 2016-03-30 12:07 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection5269F249-216A-45C8-BD56-204B561CF595 2016-03-26 10:53 - 2016-03-26 10:53 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection48972D24-4C8B-4AA1-B499-18ED2ADE946C CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Thanks for helping.
I installed connectify a fewdays back while the adware has been there for nearly two months.
After FRST fix, redirection was there and adwcleaner did not find any issue.

Which browser are the redirects evident in ?

mozila and chrome. i have not checked ie in the mean time

Do any other computers that use your router experience the same problem ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

As i said, browsers of mobile devices connected through pc via netsh command or connectify getting hijacked persistently. My modem is a single user one where there only one pc can be connected through LAN port. It has got no wifi.
I have reason to believe that adware was not there when i connected through android hotspot. But i am not sure as i used internet through android hotspot for limited period of time

Here is a redirection snapshot i took just now.
After i installed malwarebyte, it is showing notification for malicious websites but not able to block it.

Could you run chrome in incognito mode and let me know if the redirects still occur

ya redirection does occur in incognito mode too. in fact it has occurred today itself.

OK lets look deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Ran the requisite tool. computer seems to be running normal. Have to wait for sometime to confirm the same as redirection does not occur on every click.

it’s still there.

Could you update FRST please and run a fresh scan, a new version has been released

PFA the FRST log

This will reset the chrome start page

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR StartupUrls: Default -> "hxxp://www.msn.com/?pc=UP21&ocid=UP21DHP&dt=042913","hxxp://in.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_pwrisofs_15_37&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Fzz0AzyyCtAtD0EtAyByEtDzzyBtC0DtN0D0Tzu0StCtAyEyBtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2S0EtBzztAtA0EzzzztG0DyDtBzytGyE0EyByDtGzz0DyByCtG0Bzy0F0ByE0F0EyE0AtB0DyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0DtAzy0FyB0D0DtG0CzztC0EtGyE0ByB0FtGzzzytA0CtG0Dzy0CtA0Fzy0EtD0DzytD0D2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1684186756%26a%3Dwncy_pwrisofs_15_37%26os%3DWindows%2B7%2BProfessional" RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I guess it has something to do with connectify installation. Malwareware bite was showing attachment of tradeexachene.com to connectfy.exe apart from chrome.exe. Now i have uninstalled connectify

Has that remedied the problem ?

nope.problem still persists

Whereabouts are you as your DNS server is in the UK