HTML:RedirME-inf [Trj] detected on webpage constantly.

Hi everyone,

Avast frequently gives me this popup: https://imgur.com/a/utOXL

Threat name: HTML:RedirME-inf [Trj]
URL: hxxp://www.searchnet.com/Search/Loading?v=5 (hxxp to remove hyperlink)
Process: C\Program Files\Mozilla Firefox\firefox.exe
Detected my: Web Shield
Status: Connection Aborted

Apparently firefox is attempting to connect to a site containing the trojen, and it happens all the time, even when I am away from my PC. I have conducted full system scans with both avast and malwarebytes, and they could not detect any issues.

In fact, literally just then, i got the usual ‘ding ding ding threat has been detected’. I am worried, as I have sensitive data on this machine.

What is causing the attempted redirections, and how can I remove it? Thanks

instructions >> https://forum.avast.com/index.php?topic=194892.0

I have followed the instructions dealing with scanning. Malwarebytes still returns nothing, and FRST64.exe has provided Addition.txt and FRST.txt. What do I do with these files? Thanks for your patience.

as the instructions say, you attach them here

when done a malware expert will be notified and help you when online

removed by author

you attach them here in your post

There are how do do it pictures in the instructions … read it all :wink:

How did I miss that? Thanks. I’m also attaching them to the topic message.

malware experts are notified, it may take hours before anyone is online

The logs are incomplete. Please delete FRST and the logs. Then download a fresh copy of FRST and try again. Thank you.

I think previously the tool might have been interrupted while working. Here are fresh versions of both files.

Thanks for the fresh logs.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Also, your DNS server is set to a local one (10.0.0.138). Are you familiar with this server? Can you use a Google Public DNS server (8.8.8.8 ) and see if the problem still happens?

Thanks. I followed your steps. The computer restarted successfully. However, immediately, malware bytes spat out this notification, with is the same thing avast blocked previously: https://imgur.com/a/HZWHu

Fixlog.txt has been attached.

I am not familiar with that server, I just use whatever the system determines works, as I don’t know much about DNS servers. How would I safely go about using Google Public DNS server 8.8.8.8? Thanks for your patience - this is a new rig and I am a little nervous that I’ll make a damaging mistake.

Firefox does not attempt to redirect at specific times. It is rather random, as over the last 24 hours, it had actually stopped. As I am writing this, it has only occurred once since the restart.

This is the file detection, and not only avast to flag: https://www.virustotal.com/nl/file/81225b82b84950db67b869c03c1c6685f326fd1693425137a89a83a358242f11/analysis/1512117653/ landing at -http://live-winners.com/go/c/107/4/vars?sid=9715840 , a malicious site and PHISHing site: https://www.virustotal.com/nl/url/3e6ecc1fea111845d881b29d4dacc45111bda1db6077b7ab9eebcff956d2e3d5/analysis/1514643804/
DrWen has it as a known infection source/not recommended site. List of iFrames included: -List of iframes included
hxtp://findbetterresults.com/?dn=live-winners.com&pid=9PO755G95 IP is also launching ransomeware.
Why blacklisted and malicious history of IP: https://cyberwarzone.com/malicious-history-of-54-72-9-51/

polonus (volunteer website security analyst and website error-hunter)

If you are still interested in changing your DNS, there are good directions on how to do this here.