Browsers compromised

When I navigate the web, some web pages are altered to display ads, mostly russian ads.

I eventually tracked the problem to a Dell System Detect vulnerability. Apparently an old version of the program let an intruder execute code on all my dell computers and install some sort of malware.

The problem is: neither avast nor any of the programs I tried were able to solve the web browser’s problems.

The malware apparently redirects some pages to a rogue server that alters the original page to display additional ads.

Can anyone help me?

Hi obertobrandao, welcome to the forum :slight_smile:

Please follow this turtorial https://forum.avast.com/index.php?topic=53253.0 and attach the requested logs in your next reply.
As soon as an expert is online and available he/she will help you.

Greetz, Red.

I folowed all the instructions.

The los are attached to this message.

Thank you for the advice!

Hi is this in the Chrome browser only ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-04-06 14:00 - 2015-04-17 10:06 - 00000000 __HDC () C:\Users\Todos os Usuários\{6AACA38B-2810-4B47-BDEC-D7A1F38B1531} 2015-04-06 14:00 - 2015-04-17 10:06 - 00000000 __HDC () C:\ProgramData\{6AACA38B-2810-4B47-BDEC-D7A1F38B1531} C:\Users\Roberto\RUNSTATE.DAT C:\Users\Roberto\RUNTRACE.DAT Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Thank you!

I did follow the instructions. But the browsers are still infected :cry:

See attached log files.

Roberto

Is it in all browsers or just Chrome ?

You are right. IE seems to work fine!

Chrome still infected.

OK one of the extensions is not what it seems

https://forum.avast.com/index.php?topic=52252.msg1205346#new

Re-install Chrome

  1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
  2. Then I need you to go Google Sync and sign into your account
  3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
  4. Now we need to uninstall chrome.
    Note: When asked about user data or settings you must remove this also so please check the box.
  5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
  6. Import your bookmarks back into Chrome
  7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

Essexboy you are incredible! Chrome seems to work fine now.

I will now try the same procedures on the second computer. I will post the logs as long as I can produce them.

OK, but be aware that Chrome is no longer as secure as it is reported to be

Huumm. Is Chrome no longer safe in general? Or is there a possibility that the security issue I have with three other computers might reinfect the one I have just cleaned?

I find IE slow although it does works better than chrome with a few sites. What do you recommend, Firefox?

Opera :wink: www.opera.com/

I’ll try Opera.

I have attached the second set of logs.

Here they go!

If this one has the same Chrome problem then re-install that as well

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-04-14 11:02 - 2014-12-22 13:22 - 00000000 ____D () C:\Users\Todos os Usuários\boost_interprocess 2015-04-14 11:02 - 2014-12-22 13:22 - 00000000 ____D () C:\ProgramData\boost_interprocess Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Here goes the fix log.

What problems remain ?

I ran the adware cleaner too. Here goes the log! I removed chrome too.

I will send the first set of logs from the third computer in a minute.

Computer # 3 log.

Here they go!

This one also has McAfee still running

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-04-17 08:14 - 2015-04-17 08:14 - 00000000 __HDC () C:\Users\Todos os Usuários\{6AACA38B-2810-4B47-BDEC-D7A1F38B1531} 2015-04-17 08:14 - 2015-04-17 08:14 - 00000000 __HDC () C:\ProgramData\{6AACA38B-2810-4B47-BDEC-D7A1F38B1531} Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Everything seems fine now. The fourth dell, computer, the one that has windows 7. Does not seem compromised after all. :slight_smile:

Here go the final logs!