Redirecting  Virus Help Please

system · 2017-06-05T12:53:53.000Z

I have had it before but never on this laptop. I need help asap for getting rid of the redirect virus. Pages open on my browser when I am at another site I am assuming this is the problem

Thanks
MystiqueofIndy

Eddy · 2017-06-05T13:13:25.000Z

https://forum.avast.com/index.php?topic=194892.0

dbrisendine · 2017-06-06T05:04:02.000Z

We need the scan logs mentioned in the above post if we are to help you (unless you are getting help elsewhere). Thanks.

system · 2017-06-11T21:51:22.000Z

dbrisendine,

No I have been in hospital just get released so I am about to start the process in a few

system · 2017-06-12T01:09:42.000Z

Malwarebytes scan report

dbrisendine · 2017-06-12T02:07:10.000Z

Please rerun Malwarebytes and have it fix / delete whatever it finds. Then run fresh FRST logs and post all three files here (the MBAM log, the fresh FRST.txt and Addition.txt logs). Thanks.

system · 2017-06-12T02:55:05.000Z

I see I need to run an additional scan. I did not notice where the text logs where to come from unless they appear after scan has finished. I am stuck downstairs viewing my t shows via laptop. Since Malwarebytes ran I cannot view anything and by stuck downstairs i mean i am recuperating and I cannot figure out how to exclude that site. wxw.daretelly.com

Thanks for al the help so far
Mystiqueofindy/

polonus · 2017-06-12T06:24:33.000Z

Hi MYSTIQUEFINDY,

Please make that link non-clickable for the not aware: https://www.scamadviser.com/is-daretelly.com-a-fake-site.html
Website has frame malcode…The location line in the header above has redirected the request to: htxp://ww1.daretelly.com/?subid1=2df0e4b0-4f37-11e7-9883-52d2c8003443 → redirect htxp://ww1.daretelly.com/rg-erdr.php?rpo= obfuscated code…
to adware: hXtp://googleads.g.doubleclick.net/pagead/gcn_p3p.xml

polonus

system · 2017-07-03T04:13:15.000Z

OK I am still here or at least back home from hospital x2. I reset PC to factory on PC#2, the original one I spilled wine on so it is off to be repaired if possible. On the one I am currently using not much was on it so not much was lost. All was well until I went to that darn DareTelly TV. I did not see the post until after I attempted to view a tv show…now I know that site caused it a.g.a.i.n. Attached is the Malwarebytes scan which was clear. I still am being redirected due to visiting that site…so what’s the next step? Terry

system · 2017-07-03T05:08:01.000Z

I downloaded both Farbar’s exes. My PC needs the 64 bit but the Windows Smartscreen prevented it from opening. I was trying to turn the firewall off but I am very unfamiliar to Win 10… need to know how to get around this so I can post the logs. Thanks…Terry

Eddy · 2017-07-03T06:37:36.000Z

https://www.howtogeek.com/75356/how-to-turn-off-or-disable-the-smartscreen-filter-in-windows-8/

system · 2017-07-03T23:44:35.000Z

Thanks Eddy that did the trick and I was finally able to open farbar 64 bit.

dbrisendine · 2017-07-04T02:40:49.000Z

FIRST >>>>

Please download the MCPR tool from here. Double click on the downloaded file and follow the prompts to let it clean what is left of McAfee off your system. (These remains could be interferring with Avast.)

SECOND >>>>

1- Please double-click on FRST64 (the one you scanned your system with).
2- Press the Ctrl+y (Ctrl and y keys at the same time).
3- A fixlist.txt file opens up in notepad.exe. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad.

Start:: CreateRestorePoint: CloseProcesses: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK14/1 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK14/1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK14/1 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK14/1 HKU\S-1-5-21-1970300532-3615421346-527185286-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK14/1 HKU\S-1-5-21-1970300532-3615421346-527185286-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK14/1 SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} SearchScopes: HKU\S-1-5-21-1970300532-3615421346-527185286-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} CHR StartupUrls: Default -> "hxxp://yahoo.com/" CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms} CHR DefaultSearchKeyword: Default -> yahoo.com CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms} CHR Extension: (Google Slides) - C:\Users\Terry Swanigan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-07-02] CHR Extension: (Google Drive) - C:\Users\Terry Swanigan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-02] CHR Extension: (Grammarly for Chrome) - C:\Users\Terry Swanigan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen [2017-07-02] CHR Extension: (Chrome Web Store Payments) - C:\Users\Terry Swanigan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-07-02] CHR Extension: (Chrome Media Router) - C:\Users\Terry Swanigan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-02] S2 0286671499041920mcinstcleanup; C:\windows\TEMP\028667~1.EXE [834664 2013-07-12] (McAfee, Inc.) C:\windows\TEMP\028667~1.EXE R2 mcbootdelaystartsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [326856 2013-07-10] (McAfee, Inc.) S4 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [X] S2 mfevtp; "C:\windows\system32\mfevtps.exe" [X] U3 aswbdisk; no ImagePath S0 cfwids; system32\drivers\cfwids.sys [X] S0 mfeapfk; system32\drivers\mfeapfk.sys [X] R0 mfeavfk; system32\drivers\mfeavfk.sys [X] S0 mfeelamk; system32\drivers\mfeelamk.sys [X] S0 mfefirek; system32\drivers\mfefirek.sys [X] R0 mfehidk; system32\drivers\mfehidk.sys [X] R0 mfewfpk; system32\drivers\mfewfpk.sys [X] 2017-07-02 20:30 - 2017-07-02 20:30 - 00000000 __RSH C:\windows\SysWOW64\Drivers\103C_HP_cPC_21-h013w_Y53316J_0U_Q5CM41507CS_E14AM1ARA602_4A_I2B0D_SHP_VA01_B80.08_T140304_W8101-0_L409_M3987_J2_7Intel_86C3_92.60_#140408_N10EC8168;168C0032_Z_G80860402_Ohp CDDVDW SN-208FB_DHWP421A.MRK 2017-07-02 20:30 - 2017-07-02 20:30 - 00000000 __RSH C:\windows\system32\Drivers\103C_HP_cPC_21-h013w_Y53316J_0U_Q5CM41507CS_E14AM1ARA602_4A_I2B0D_SHP_VA01_B80.08_T140304_W8101-0_L409_M3987_J2_7Intel_86C3_92.60_#140408_N10EC8168;168C0032_Z_G80860402_Ohp CDDVDW SN-208FB_DHWP421A.MRK cmd: ipconfig /flushdns cmd: netsh advfirewall reset cmd: netsh advfirewall set allprofiles state on Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f CMD: bitsadmin /reset /allusers RemoveProxy: EmptyTemp: Reboot: End::

4- Press the Ctrl+s keys to save the file. Close the notepad / fixlist.txt file.
5- Press the Fix button just once.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop or the same directory it was run from (Fixlog.txt). Please post it to your reply.

LAST >>>>

AdwCleaner

Download AdwCleaner from here . Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v6_start_zps5nymee4e.png

- Click the [b]Scan[/b] button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: [b]Waiting for action. Please uncheck elements you don't want to remove.[/b]
- Click the [b]Clean[/b] button.
- [b]Everything checked[/b] will be deleted.
- When the program has finished cleaning a report appears.
- Once done it may ask to reboot, allow this

http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg

On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.

system · 2017-07-05T13:20:38.000Z

Here ya go, since one of the posts (forgot users name said DareTellyTV was the reason for the redirect virus to hit, how do I keep from stumbling upon another site again like this or will Malwarebytes stop me from entering?

These 2_: https://xmovies8.zone/ and http://projectwatchfreetv.pw/ are the 2 new sites I now view tv online with. I do not want this to happen again thus my reason for asking. Does anyone know of a safe tv/movie site out there?

system · 2017-07-06T00:14:57.000Z

Still getting a window that opens named redirect this leads me to that annoying Microsoft virus warning page that locks the browser up and I end up having to
close the browser out sometimes to get it to stop with the popups. It is nowhere as bad as it once was but it’s still lingering around.

Eddy · 2017-07-06T09:07:54.000Z

Please provide new log files.

dbrisendine · 2017-07-07T05:57:42.000Z

If Avast is no longer active on your system and Malwarebytes is the paid real time protection version then you may want to uninstall Avast to see if it is interfering with Malwarebytes. If you don’t have the real-time protection in Malwearebytes (you are only using the free version of it) then you will want to enable Avast.

Announcements