JS:Redirector-BXI - HELP

system · October 28, 2015, 9:40am

Hello

When I try to open a page in the web browser avast tells that it has blocked JS:Redirector-BXI .
I made a full system scan and a bootscan but AVAST couldn’t find any threads.

Can you help me to remove this trojan?

Thanks

Asyn · October 28, 2015, 9:44am

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

system · October 28, 2015, 11:27am

Hello,

attached the logs.

Thanks,

Asyn · October 28, 2015, 11:34am

OK, now you’ve to wait a bit…

essexboy · October 28, 2015, 3:30pm

Could you let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.aartemis.com/web/?type=ds&ts=1384700825&from=cor&uid=WDCXWD5000BEKT-60KA9T0_WD-WXJ1AB0H0809H0809&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.aartemis.com/web/?type=ds&ts=1384700825&from=cor&uid=WDCXWD5000BEKT-60KA9T0_WD-WXJ1AB0H0809H0809&q={searchTerms} URLSearchHook: HKU\S-1-5-21-142647408-438726693-2458708186-1000 - FreeRIP Toolbar - {E634228A-03CF-4BC8-B0AB-668257F1FD8C} - No File URLSearchHook: HKU\S-1-5-21-142647408-438726693-2458708186-1004 - FreeRIP Toolbar - {E634228A-03CF-4BC8-B0AB-668257F1FD8C} - No File SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.aartemis.com/web/?type=ds&ts=1384700825&from=cor&uid=WDCXWD5000BEKT-60KA9T0_WD-WXJ1AB0H0809H0809&q={searchTerms} SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.aartemis.com/web/?type=ds&ts=1384700825&from=cor&uid=WDCXWD5000BEKT-60KA9T0_WD-WXJ1AB0H0809H0809&q={searchTerms} SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.aartemis.com/web/?type=ds&ts=1384700825&from=cor&uid=WDCXWD5000BEKT-60KA9T0_WD-WXJ1AB0H0809H0809&q={searchTerms} SearchScopes: HKU\S-1-5-21-142647408-438726693-2458708186-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKU\S-1-5-21-142647408-438726693-2458708186-1001 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://mixidj.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=0265E02A82F9AFCE&affID=123187&tsp=4962 BHO: Hotspot Shield Class -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll => No File CHR Extension: (Slick Savings) - C:\Users\erto\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk [2015-05-01] [UpdateUrl: hxxp://www.mybrowserbar.com/update/wt/gc/coupons/update.xml] <==== ATTENTION CHR HKLM-x32\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files (x86)\Common Files\Spigot\GC\saebay_1.1.crx [2013-10-14] CHR HKLM-x32\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files (x86)\Common Files\Spigot\GC\ErrorAssistant_1.2.crx [2013-11-06] CHR HKLM-x32\...\Chrome\Extension: [jbolfgndggfhhpbnkgnpjkfhinclbigj] - 2015-07-14 18:48 - 2015-07-14 18:48 - 0000000 _____ () C:\Users\erto\AppData\Local\{3FEC9E98-A720-4546-9349-579B0B5DCCCB} Task: {03016CA3-1E10-43C6-A9B8-C10981615FBD} - System32\Tasks\DSite => C:\Users\erto\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: {A4D7C9B3-5BCD-4380-B556-6B36FE84A5B0} - System32\Tasks\DigitalSite => C:\Users\erto\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: {F0689D06-4E95-4F8F-8A83-B9BA690298C4} - System32\Tasks\Funmoods => C:\Users\erto\AppData\Roaming\Funmoods\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: C:\Windows\Tasks\DigitalSite.job => C:\Users\erto\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: C:\Windows\Tasks\DSite.job => C:\Users\erto\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION C:\Program Files (x86)\Common Files\Spigot C:\Users\erto\AppData\Roaming\DSite C:\Users\erto\AppData\Roaming\DIGITA~1 C:\Users\erto\AppData\Roaming\Funmoods RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

system · October 28, 2015, 6:02pm

Hi,

I ran FRST and then AdwCleaner but the problem still continues. I have the same warning from avast when I try to open a new website.
Logs are attached.

Thanks for help,

essexboy · October 28, 2015, 6:13pm

Does this occur in all browsers or just one ?

system · October 28, 2015, 6:32pm

It happens on all browsers, on firefox and iexplorer avast blocks and gives warning. On chrome it redirects to another web site which contains a fake java download link.

essexboy · October 28, 2015, 7:59pm

OK it appears to be chrome related, so I will have a quick look there

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · October 28, 2015, 9:20pm

unfortunatelly problem still continues, I attached the combofix log.

essexboy · October 29, 2015, 2:56pm

This is definitely in all browsers ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: c:\windows\SysWow64\config\systemprofile\.oracle_jre_usage Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · October 30, 2015, 5:30am

Hi,
Yes, it is in all browsers. Only in chrome avast did not block the trojan. But in other browsers it blocks and gives a warning as attached.
The problem still continues after running the fix. The fixlog is attached.

Thanks for the help.

essexboy · October 30, 2015, 12:51pm

Could you start FRST and copy/paste the following into the search box :

s9.addthis.com

Then press search registry

Attach the loge generated

system · October 30, 2015, 6:35pm

log is attached.

essexboy · October 30, 2015, 6:59pm

OK that was no good, it is residing somewhere in your system just a matter of finding it

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

system · October 31, 2015, 4:49pm

JRT.txt is attached.

essexboy · October 31, 2015, 5:03pm

Has that stopped it ?

system · October 31, 2015, 5:40pm

no, it still continues.

essexboy · October 31, 2015, 7:01pm

Could I Have a fresh FRST scan please

system · November 1, 2015, 5:56am

attached. Thanks,

JS:Redirector-BXI - HELP

Announcements