Websites redirecting-scans find nothing

Hello,
I got some ransomware (“Interpol” “Italian Police”) that isn’t locking up my computer or preventing safemode etc., but it is redirecting every non-major website (for example huffingtonpost.com, atlantic.com). For whatever reason, major sites like cnn.com, espn.com, google sites, and the avast sites run fine and aren’t redirected. But the overwhelming majority of sites are redirected, either to the ransomware page or to a variety of “dating” services.

An early scan with Avast found a few files, but the problem persists, and scans with malwarebytes, avast, adwcleaner, and ad-aware antivrus all show nothing. I am not sure how to attach scan results for the few times avast actually found something, though I can attach one adwcleaner operation that did get rid of some things (but once again, not the central problem).

Please advise on how to proceed,
Thank you

Scan with Malwarebytes and AdwCleaner … remove everything they find
Post logs here

if still problems see instructions here https://forum.avast.com/index.php?topic=53253.0
scroll down to Farbar Recovery Scan Tool … follow instructions and attach the two diagnostic logs

The scans have shown nothing for 2 days now, and I can’t find any logs on my computer except for an adwcleaner scan and clean. I will put in that info and what avast reported though.

AdwCleaner scan:

AdwCleaner v3.311 - Report created 11/10/2014 at 21:30:28

Updated 30/09/2014 by Xplode

Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

Username : Alex - HAL

Running from : C:\Users\Alex\Downloads\AdwCleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Program Files (x86)\Mozilla Firefox\Extensions{1FD91A9C-410C-4090-BBCC-55D3450EF433}
File Found : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
File Found : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.xpt
File Found : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
File Found : C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.xpt
File Found : C:\Users\Public\Desktop\eBay.lnk
Folder Found : C:\Program Files (x86)\Common Files\Software Update Utility
Folder Found : C:\ProgramData\Browser Manager
Folder Found : C:\Users\Alex\AppData\Local\iLivid

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\ilivid
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : [x64] HKCU\Software\ilivid
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Classes\AppID{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Found : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Found : HKLM\SOFTWARE\Classes\CLSID{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Found : HKLM\SOFTWARE\Classes\dnUpdate
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Found : HKLM\SOFTWARE\Classes\Interface{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found : HKLM\SOFTWARE\Classes\Interface{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found : HKLM\SOFTWARE\Classes\TypeLib{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Found : HKLM\SOFTWARE\iLividSRTB
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

***** [ Browsers ] *****

-\ Internet Explorer v11.0.9600.17280

-\ Mozilla Firefox v32.0.3 (x86 en-US)

[ File : C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\zkanhgp6.default-1413030450884\prefs.js ]

-\ Google Chrome v37.0.2062.124

[ File : C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [3319 octets] - [11/10/2014 21:30:28]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3379 octets] ##########

As for Avast:
A quick scan found these infected files:
C:\Users\Alex\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6GMZ0NOR\fr[1] Severity: High, Status: Threat: JS:ScriptIP-inf[Trj]

C:\Users\Alex\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 [followed by a ton of random numbers, letters]
Severity: High, Status: Threat HTML: FakeLock-F[Trj]

Following a successfully quarantining of these two, avast did a boot scan, in which it found three similar files in this location:

C:\Users\Alex\AppData\Local\Mozilla\Firefox\Profiles
These were HTML: FakeLock-F[Trj]

Finally, another quick scan found a JS: ScriptIP[Trj] under the same general location as the first quick scan.

Though all these were successfully quarantined, I have run about 17 scans since finding absolutely nothing although the problem persists.

Malwarebytes found infected files a few weeks ago, but then everything was fine until a few days ago, during which time malwarebytes has absolutely nothing to report.

Hope this helps

See instructions here https://forum.avast.com/index.php?topic=53253.0
scroll down to Farbar Recovery Scan Tool … follow instructions and attach the two diagnostic logs

Ok, both logs attached.
Thanks

Is the problem still apparent with the redirects ? Are they consistent or at random times

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

It seems a bit random. Internet Explorer worked fine from Sunday morning until Sunday evening. Now it redirects as before. Firefox had been redirecting for days and now seems to be working.

I just want to make sure, the fix you posted, that isn’t risky with my computer right?
Thanks

Nope what it will do is reset the internet back to default

Ok, attached is the log. Mozilla is back to redirecting (to Police ransomware) and Explorer begins to redirect and then says Page Cannot be Found.

OK lets now look at the drivers. Does the same occur on other computers that use the same router

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Before I run the ComboFix, I just found out that the same problem occurs on other computers using this router.
Should I still run ComboFix, or is there something else that should be done?

Nope hold on combofix… Do you know how to reset the router ?

Ok, we pushed the tiny button down until it reset, but I still get redirected. Should I go onto the router page to do something else?

Do the redirects happen as soon as you have reset the router ?

Also initially only connect with the current computer initially

Yes, two minutes or so after the reset, I went back online and had a redirect on my first try going on to a website. This was the only computer online.

When you reset the router is it a small button in a recess on the back of the box labelled reset ?

Here is a picture of the netgear one http://kb.netgear.com/app/answers/detail/a_id/25024/~/how-to-reset-your-netgear-home-router-to-factory-default-settings%3F

Yeah, you need something pin-like to press it.

OK so you did that…

OK continue with combofix please

Avast is trying to block combofix right after it finishes downloading. I thought I had to turn avast off before I run combofix, not before I even download it. Is something wrong?

Nope it is just that Combofix is continually updating and Avast takes a while to catch up. You can safely disable web shield to download it