Viruses and Worms - parking.ps keeps taking over the websites!!

:frowning:
Greetings,
I’ve been having this problem for a few weeks now. I contacted customer support, and they made me run full boot-time scan and clear out all trojans and malware-gens. Then they made me download Malwares Anti-Malware byte, with also a full scan, getting rid of some more trojans. But the problem still remained:
Every time I’m on a website, I will be redirected to parking.ps in 10-15 seconds. It doesn’t happen on all websites. The damn thing will choose specifically on which websites it wants to prevent me to going to. It will change its mind from time to time, sticking to one website, then leaving it, and picking on some other websites.

Here are some of the required logs

More attachments

your malwarebytes was not updated when you scanned
update, run quick scan … if more is detected, attach new log

parking.ps is actually clean for the most well known Online website scanners. :wink:

your logs show a enormous amount of crap files

malware experts are notified…

It wont make much sense running a quick scan again… I’m running a full scan right NOW.
and PARKING.PS IS A LOAD OF CRAP!!!

Its not blocked by avast and its a news site as far as i can see.

quick scan will detect all activly running malware, and that is what you want now…and it is quick and dont take hours

Hi the system does need a good clean, I will probably not get everything first time around

First you will need to uninstall Norton and AVG

From control panel > programs and features uninstall the following :

Norton
Symantec
AVG

A reboot will probably be required after each uninstall
Then download and run the associated removal tools :

Norton https://support.norton.com/sp/en/uk/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us
AVG http://www.avg.com/gb-en/utilities

Once completed

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Download the attached fix.txt to your desktop

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

[*]Then click the Run Fix button at the top
[*]A dialogue will open asking for the location of the fix.txt you downloaded, locate and select that
[*]Press run fix again
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[
]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]post the contents of JRT.txt into your next message.

I did full scan on Malware Bytes and got another 80 PUP’s deleted. The log popped up, I tried to save it to desktop, but it saved in a some sort of a weird format, and a totally irrelevant title. Maybe it was my miss-click or an error, I don’t know. If you really need to see that log, could you please tell me how I retrieve it, if it’s possible? Also, I managed to find and delete AVG, but not Norton or Symantec. How can I find them?

just run the removal tools for AVG and Norton that Essexboy gave link to above…

then continue with the OTL instructions…

Essexboy will be back tomorrow

I still couldn’t remove Symantec, but I did everything else exactly the way you said.

The reason why I said I couldn’t delete Norton, is because essexboy told me to first uninstall Norton and THEN download the removal tools (which does sound awkward)

I attached all the log files you need.

yes the normal way is to uninstall the antivirus first, then run the removal tool to clear any leftover files
but if you are not able to uninstall Norton then just run Norton removal tool
you may also try running Norton removal tool from safe mode

if no success Essexboy will probably remove it using OTL when he is back later today

Could you now run a fresh OTL scan please and let me know how the computer is behaving

The computer performance has improved significantly (thank you), but parking.ps is still there. Although it has been behaving a bit passive, it’s still there god damnit.

What browser(s) does this appear in ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2013.03.26 00:46:08 | 000,101,888 | ---- | M] (Freemake) [Auto | Running] -- C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe -- (Freemake Improver)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (aou7zzap)
IE - HKCU\..\URLSearchHook: {74198672-5F7D-4FE9-A611-4AC1D5A66A15} - No CLSID value found
IE - HKCU\..\URLSearchHook: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - No CLSID value found
[2013.07.02 16:02:59 | 000,000,000 | ---D | M] (BrotherSoft Extreme2 B1) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\nahd6ha2.default\extensions\{94193c2f-e73f-4feb-b393-2b95f0a01430}
[2013.08.30 12:00:22 | 000,000,000 | ---D | M] (Address Bar Search) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\nahd6ha2.default\extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9}
[2013.08.12 13:12:13 | 000,000,000 | ---D | M] ("WebSite Recommendation") -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\nahd6ha2.default\extensions\WebSiteRecommendation@weliketheweb.com
O2 - BHO: (?????????? ????????) - {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} - C:\Program Files\Yandex\FastDial\fastdial.dll ()
O3 - HKLM\..\Toolbar: (no name) - {91397D20-1446-11D4-8AF4-0040CA1127B6} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - No CLSID value found.
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)

:Files
C:\ProgramData\Freemake

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Attached

Is it still there ? Do you arrive there when visiting a specific web site or any ?

its much more rare now but I haven’t experimented with it too much I lost my internet. I’ll update you with more information when I see it again