I recently “cleaned” (or so I thought) my computer from malware software that installed itself as an enterprise extension on Chrome (YTBloccKErAAPp) . I thought I had dealt with it my own way, and from what I know, there are no unknown programs or extensions currently installed (via Chrome>Extensions or Control Panel>Add/Remove Programs).
The link that it’s trying to redirect me to is mypageresults.com/blahblah, which from the research I’ve done is a commonly known browser hijacking virus.
This virus has been persistently getting more intensive, and the processes are not just chrome, but pretty much anything. I’m not sure how to deal with it. I’ve run an antivirus scan and a malware scan, both of which came up with nothing. Is there a reason why this isn’t popping up in any of my virus scans? And how should I go about fixing it?
I have attached various logs that I think are required for these inquiries
:Commands
[CREATERESTOREPOINT]
:OTL
O2:64bit: - BHO: (IIsaver) - {20ACB41D-AF69-DCEF-707A-780369370679} - C:\ProgramData\IIsaver\qKbqV.x64.dll File not found
O2:64bit: - BHO: (YTBloccKErAAPp) - {F3161909-8CC0-5771-E327-9A8E69C4B9C5} - C:\ProgramData\YTBloccKErAAPp\LeD9.x64.dll File not found
O2 - BHO: (YTBloccKErAAPp) - {F3161909-8CC0-5771-E327-9A8E69C4B9C5} - C:\ProgramData\YTBloccKErAAPp\LeD9.dll File not found
:Files
C:\ProgramData\IIsaver
C:\ProgramData\YTBloccKErAAPp
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
I’m not too sure yet if this fixes the problem, because its more of a “wait until it pops up” kind of way of verifying.
But here are the various attached logs (post-fix, scans and adw scans). One thing to note is that the log for the ADWCleaner was in its own subdirectory and indexed at “0” (not sure if that makes a difference but saying it anyways).
If its possible, is there anything I can take away from this? I’m assuming I had lingering files from when I tried to get rid of the virus before?
Actually to be fair, the pop up no longer is regarding chrome, but pretty much every other process! This is (but probably not limited to) Steam, PMB (League of Legends patcher), HexChat, Explorer, etc.
OK lets take a better look at the services and tasks
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
EDIT: Just an update, I’ve recieved a couple webshield popups regarding chrome as well. So my previous assumption that chrome was fixed was wrong I guess :S. One thing I am noticing though is that these pop ups are a lot less frequent than before!
It’s hard to say what exactly prompts the redirect. I can reproduce this every time I start the League launcher, but with Steam, Chrome, Hexchat etc. its very random.
The exact Process on the popup is “Program Files(x86)\Pando Networks\Media Booster\PMB.exe”, which is used for making faster downloads on League patches. A lot of people find it sketchy software but I don’t personally think it is the root of the problem (it might be though!).
It appears to have somehow compromised those programmes in addition to chrome, unfortunately I have no knowledge of steam or pando networks as I have never used them. It may be a small script entered within the update stream of the programmes i.e added as a server address
I will have a think about it and see if I can come up with a way to locate it
Alright essex, thanks by the way for your help so far, it’s been making me scratch my head as well.
Not to just give redundant information but here’s a couple other screencaps I have of the processes its catching. When I browse through the game library on Steam, or when I start up Smite (another MOBA game like League of Legends). I don’t know the extent of which processes are compromised, so the scope could be pretty large :S
My initial thoughts are that the wpad.dat file that it is trying to access may have a bad URL within it. Wpad contains a list of servers that the update(s) are available on, so I reckon if you turn off the auto update functions for those programmes the alerts should cease. However, that is not really useful to you but it can be done as a test for a short period
For majority (if not all) the update functions are integrated into the launcher for the games I’m starting. I’m not sure of a way to bypass this without hacking the launcher itself :S
Would going about this by dealing with the wpad.dat file be better? Should I do a search on it ?