I have been getting these popups when I first start my computer and connect to the internet. I have run malware bytes and adwcleaner, and they found a program called netengine, which they removed. I rebooted my computer and got the reduled.info blocked popup. I reran malware bytes and it didn’t find anything. I ran the Farbar Recovery Scan Tool and have attached the two log files it generated. I am now running the aswMBR.exe and waiting for it to finish.
Monitoring
Thanks, will post that other log file when the scan finishes. From the looks of things, this seems to be a very active problem. Just a quick question on that scan, the button that you hit that says scan will go back to saying scan when the scan if finished, correct? right now it says stop and just want to make sure since it seems to be taking a bit of time.
Edit: I went to do something else while that scan run, and when I got back, my computer had shut down, and said it had encountered a problem. I also did not have network connections (I use the internet on a home network). I restarted my computer again, and network (and internet) had come back, and I haven’t gotten that popup again yet. (I also only seemed to get the infection blocked popup once upon starting my computer and connecting to the internet. I may have to run the farbar tool again since my computer just updated itself. but I am leery of running the other scan as I don’t know what caused my computer to crash
Edit again: I disconnected and reconnected, and it detected a reddie or something like that.
I am rerunning the aswmbr, and I hope it wasn’t that that caused windows to crash.
How long does the aswMBR normally take to run? it seems to be taking a long while to run, and I am not sure it is working (there is nothing showing in the box that says it is running, everything is static with the last entry being 11:01:05.425 AVAST engine scan S:\users\Catherine. should I save the log (I have that option) or stop it, or just let it go?
Just finished the scan and here it is. It did say in the window that the unity webplayer uninstall was infected.
Edit: Just a quick question. I have seen many people on the forums with the same problems as I have (and I feel a lot better about windows crashing, now that I have seen others have that aswMBR crash the first time they ran it). Where would the malware that is causing the redule.info attacks come from? I have an idea (my fault I was clicking too fast a couple weeks ago on some downloaded software license agreements, and it downloaded some malware, though I thought I got rid of most of it), but where else might this have come from? I don’t usually go to websites unless I trust them, and have been to them before with no problems or many other people I trust have been to them. Just wondering what I would need to avoid/be careful of if I wasn’t infected how I think I was.
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[]In the main box please paste in the following script:
createsrpoint;
autoclean;
emptyalltemp;
bitsadmin /reset /allusers;b
ipconfig /flushdns;b
[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.
I have copied and pasted and attached the file so whichever is easier for you.
Thanks for helping me
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Catherine on Mon 05/18/2015 at 13:17:39.96.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Catherine\Downloads\zoek.exe [Scan all users] [Script inserted]
==== System Restore Info ======================
5/18/2015 1:18:20 PM Zoek.exe System Restore Point Created Successfully.
==== Deleting CLSID Registry Keys ======================
==== Deleting CLSID Registry Values ======================
==== Deleting Services ======================
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAWFwk deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\McAWFwk deleted successfully
==== FireFox Fix ======================
ProfilePath: C:\Users\CATHER~1\AppData\Roaming\KompoZer\Profiles\isia4dc4.default
user.js not found
---- FireFox user.js and prefs.js backups ----
prefs_20150518_0125_.backup
ProfilePath: C:\Users\CATHER~1\AppData\Roaming\Mozilla\Firefox\Profiles\6wo2z1x2.default
user.js not found
---- Lines browser.startup.page removed from prefs.js ----
user_pref(“browser.startup.page”, 0);
---- FireFox user.js and prefs.js backups ----
prefs_20150518_0125_.backup
==== Batch Command(s) Run By Tool======================
==== Deleting Files \ Folders ======================
C:\Users\Catherine\AppData\Roaming\calibre deleted
C:\Users\Catherine\AppData\Roaming\Yahoo! deleted
C:\PROGRA~3\Yahoo! deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Catherine\Downloads\avast_free_antivirus_setup_online_cnet.exe deleted
C:\Windows\wininit.ini deleted
==== Firefox Extensions Registry ======================
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
“wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [04/28/2015 09:01 AM]
==== Firefox Extensions ======================
ProfilePath: C:\Users\CATHER~1\AppData\Roaming\KompoZer\Profiles\isia4dc4.default
- Undetermined - %ProfilePath%\extensions\installed-extensions.txt
- KompoZer classic - %ProfilePath%\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
ProfilePath: C:\Users\CATHER~1\AppData\Roaming\Mozilla\Firefox\Profiles\6wo2z1x2.default
- Lab Ray Logger by Jellyneo - %ProfilePath%\extensions\jid1-APeeboHMLKBwqw@jetpack.xpi
- The Addon Bar restored - %ProfilePath%\extensions\the-addon-bar@GeekInTraining-GiT.xpi
- Firesizer - %ProfilePath%\extensions{04426594-bce6-4705-b811-bcdba2fd9c7b}.xpi
- Adblock Plus - %ProfilePath%\extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
==== Firefox Plugins ======================
Profilepath: C:\Users\Catherine\AppData\Roaming\Mozilla\Firefox\Profiles\6wo2z1x2.default
9AE02005247DA91AB1743F5208DBEF76 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll - Shockwave Flash
FBF151BDF3156D1FEFD5E992D89D65CC - C:\Users\Catherine\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player
==== Chromium Look ======================
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[04/28/2015 09:01 AM]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[04/28/2015 09:01 AM]
==== Set IE to Default ======================
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://acer13.msn.com/?pc=ACJB”
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://acer13.msn.com/?pc=ACJB”
==== All HKCU SearchScopes ======================
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}”
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC”
{47F281A0-7BAA-4DBF-9F7A-7A320FBADAA2} Unknown Url=“Not_Found”
==== Deleting CLSID Registry Keys ======================
HKEY_USERS\S-1-5-21-408192870-1804247360-927827351-1000\Software\Microsoft\Internet Explorer\SearchScopes{47F281A0-7BAA-4DBF-9F7A-7A320FBADAA2} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes{47F281A0-7BAA-4DBF-9F7A-7A320FBADAA2} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{47F281A0-7BAA-4DBF-9F7A-7A320FBADAA2} deleted successfully
==== Deleting CLSID Registry Values ======================
==== Deleting Registry Keys ======================
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcpltui_exe deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe deleted successfully
==== Empty IE Cache ======================
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Catherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Catherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
==== Empty FireFox Cache ======================
C:\Users\Catherine\AppData\Local\Mozilla\Firefox\Profiles\6wo2z1x2.default\cache2 emptied successfully
==== Empty Chrome Cache ======================
No Chrome User Data found
==== Empty All Flash Cache ======================
Flash Cache is not empty, a reboot is needed
==== Empty All Java Cache ======================
Java Cache cleared successfully
==== C:\zoek_backup content ======================
C:\zoek_backup (files=29 folders=10 11080632 bytes)
==== Empty Temp Folders ======================
C:\Users\Catherine\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
==== After Reboot ======================
==== Empty Temp Folders ======================
C:\Windows\Temp successfully emptied
C:\Users\CATHER~1\AppData\Local\Temp successfully emptied
==== Empty Recycle Bin ======================
C:$RECYCLE.BIN successfully emptied
==== Deleting Files / Folders ======================
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\abcnews.go.com” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\admin.brightcove.com” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\cndfbstatic.bitdotgames.com” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\fbstatic-a.akamaihd.net” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\foxnewsplayer-a.akamaihd.net” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\home.mcafee.com” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\hotshot-webgames.ssl.hwcdn.net” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\launch.newsinc.com” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\s-ak.kobojo.com” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\shinezone-a.akamaihd.net” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\www.myfoxatlanta.com” not found
“C:\Users\Catherine\AppData\Roaming\Macromedia\Flash Player#SharedObjects\M9TJG5AN\www.nbcbayarea.com” not found
==== EOF on Mon 05/18/2015 at 13:29:03.87 ======================
How is your PC behaving now?
So far haven’t gotten the popup. It only came up when I first connected to the internet, seemingly only in the mornings (when I first boot the computer) Thanks
Where can I find the scan logs and popup logs in avast, I have looked, but haven’t found them yet.
Going to reboot my computer and see if I get the popup.
Okay, so far I haven’t gotten a popup message about it, and I just rebooted my computer and connected (which is when I tended to get the message) so thanks Will let you know if it comes back.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
I haven’t run the DelFix yet (for some reason, every time I try to go to the general changelog links, I get 404 not found, I had to find the aswMBR through a search) but so far I haven’t gotten that popup again, so thanks, will look for the DEL fix program and run it. Did you want me to post the report or is it just for my sake?
EDIT: Found the file and ran it and got the report. Thanks again for all your help.