Sign in to follow this  
Thanu

Vktarget.ru / Traffstock / AdWizard / Stubborn Browser Hijacker

Recommended Posts

Tried everything within my lay powers but cannot remove this root-hugging browser hijacker.

 

Used Adaware quick and full scans, Malwarebytes many times after using TFC and resetting browsers.

 

Also HitmanPro, ComboFix, HijackThis and fixed per their recommendations, CCleaner, Adwcleaner, Glary Utilities, NPE, JRT, forget what else ...

 

FRST Reports attached as requested.

 

Would truly appreciate your advice, help, solution! Pretty nasty annoyance for us non-malware experts.

 

Sincerely, Thanu

Addition.txt

FRST.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Hello!

 

Please do such actions:

  • try to find and delete such key in registry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME\0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME\0000

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\catchme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\catchme
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme

  • Try to Delete a file:
    • C:\Users\windows7\AppData\Local\Temp\catchme.sys (if file could not be deleted - reboot the system and try again)
  • Uninstall "PxMergeModule"
  • If exist - try to delete files:
    • C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\{5ebdca98-43b3-45bb-87e0-716029fb42ab}.xpi
    • C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected]

    • C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected]
    • C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected]
    • C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected]
    • C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

 

Download and run TDSSKiller from here. Do a scan and share your results. Also you can try to run Firefox browser with turned off extensions https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode#w_how-to-start-firefox-in-safe-mode

 

 

 

 

Share this post


Link to post
Share on other sites

Thanks so much - I'm working on it ...

 

What do I do when Reg Keys won't delete? I'm just using regedit - don't know anything else.

 

I'll carry on and let you know the results, etc.

 

Cheers - Thanu

Share this post


Link to post
Share on other sites

Hi Thanu,

 

Let us use FRST to delete registry keys instead since it's much safer, and I'll be back in a few minutes with an instruction.

Share this post


Link to post
Share on other sites

OK thank you. I also don't know how to:

  • Uninstall "PxMergeModule"

I ran Kapersky's TDSSKiller - no threats detected.

 

Could not find: C:\Users\windows7\AppData\Local\Temp\catchme.sys (if file could not be deleted - reboot the system and try again) Perhaps an anti-malware program got rid of it, but it's not there.

 

I uninstalled Firefox and deleted all the Mozilla files in Roaming folder.

 

Thanks & regards, Thanu

Share this post


Link to post
Share on other sites

Hi again,

 

1. Please, uninstall "Java 7 Update 71" and, if you really need Java (most people don't), install the latest version and that is version 8 Update 25.

 

 

2. I can see that you recently added these add-ons to Chrome:

CHR Extension: (Yappy) - C:\Users\windows7\AppData\Local\Google\Chrome\User Data\Default\Extensions\jleajjoinbmogfgencngmnnndkkciben [2014-11-09]

CHR Extension: (Yappy App) - C:\Users\windows7\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmlflomkeommgpkchoflehmbkfplaeha [2014-11-24]

Are they responsible for the ads?

I know some add-ons display ads and I can't find much information about this add-on. You have other Chrome Add-ons that are rather unknown and I can't be sure that they aren't displaying ads. I think I never have seen a log with so many Chrome add-ons and you should go through them and check if you really need them.

 

 

3. Do you want to use a DNS server located in Germany while you are using an IP address in Thailand?

I'm asking since there are fake DNS servers, that intercepts the communication and injects ads.

 

 

4. Please, start Notepad.

Copy all text that is in the box:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3916589451-2365975154-121726412-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-3916589451-2365975154-121726412-1000 -> No Name - {4064EA35-578D-4073-A834-C96D82CBCF40} -  No File
FF Extension: No Name - C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\{5ebdca98-43b3-45bb-87e0-716029fb42ab}.xpi [Not Found]
FF Extension: No Name - C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected] [Not Found]
FF Extension: No Name - C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected] [Not Found]
FF Extension: No Name - C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected] [Not Found]
FF Extension: No Name - C:\Users\windows7\AppData\Roaming\Mozilla\Firefox\Profiles\900sfl63.default\extensions\[email protected] [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR Plugin: (Java(TM) Platform SE 7 U9) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.70.11) - C:\Windows\system32\npDeployJava1.dll No File
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [19984 2014-12-14] ()
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 catchme; \??\C:\Users\windows7\AppData\Local\Temp\catchme.sys [X]
2014-12-14 11:59 - 2014-12-14 16:01 - 00000000 ____D () C:\Users\windows7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2014-12-14 11:37 - 2014-12-14 11:37 - 00019984 _____ () C:\Windows\system32\Drivers\EsgScanner.sys
Task: {3386B2D1-085F-4158-8D38-35E43F1DDA37} - \060184C3-9766-46a0-B258-F4518A0B2633 No Task File <==== ATTENTION
Task: {9CE9268B-3C64-44DF-A111-86D66825956C} - System32\Tasks\{19C05706-913D-4BFE-9FD7-5457E677C030} => pcalua.exe -a C:\Users\windows7\Downloads\skype4pidgin-installer.exe -d C:\Users\windows7\Downloads
Task: {B8C5EB78-4BCE-41BD-89AA-2EA303D8FA8B} - \Microsoft\Windows\Multimedia\SMupdate3 No Task File <==== ATTENTION
Task: {BBE73669-76E3-40CB-8065-2B3F578AC99B} - \Microsoft\Windows\Maintenance\SMupdate2 No Task File <==== ATTENTION
CHR Extension: (No Name) - C:\Users\windows7\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda [2012-12-04]

and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

 

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished.

 

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your answer.

 

 

5. Please, attach C:\ComboFix.txt.

I hope that you're aware of that using ComboFix in the wrong way can destroy Windows.

 

 

6. Catchme is a part of ComboFix and it will be removed when ComboFix is properly uninstalled.

 

 

7. Do you see the ads both in Internet Explorer and in Chrome?

Share this post


Link to post
Share on other sites

Thanks so much - I'm working on it ...

 

What do I do when Reg Keys won't delete? I'm just using regedit - don't know anything else.

 

I'll carry on and let you know the results, etc.

 

Cheers - Thanu

 

For registry keys modification and direct file access you can use this tool. To see Advanced options you can click on ">>>" button.

Share this post


Link to post
Share on other sites

Hello and thanks so much.

 

I deleted most of my Chrome extensions - I only had a couple enabled, but the rest were still there I guess - I trashed them.

 

I can't uninstall ComboFix, and didn't know it was dangerous, no. There is only the .exe file which I click to run it, and no programs or control panel list it so that it can be uninstalled - so I can't do that - or don't know how to get rid of those reg. entries, either.

 

What do you mean by this? 3. Do you want to use a DNS server located in Germany while you are using an IP address in Thailand?

I'm asking since there are fake DNS servers, that intercepts the communication and injects ads.

 

I am in Thailand and know nothing about the fake DNS servers - are you saying I'm using one? If so, how to stop doing that?

 

I'll do the other items now as best I can.

 

Thanks for advising on this as well, esp. the DNS issue, which I have no idea about.

 

I suppose I should test what's been done already as well, right? Though I'm afraid that being served these ads and redirections makes things worse - I guess it doesn't, though.

 

Best regards, Thanu

ComboFix.txt

Share this post


Link to post
Share on other sites

Hello and thanks so much.

 

I deleted most of my Chrome extensions - I only had a couple enabled, but the rest were still there I guess - I trashed them.

 

I can't uninstall ComboFix, and didn't know it was dangerous, no. There is only the .exe file which I click to run it, and no programs or control panel list it so that it can be uninstalled - so I can't do that - or don't know how to get rid of those reg. entries, either.

 

What do you mean by this? 3. Do you want to use a DNS server located in Germany while you are using an IP address in Thailand?

I'm asking since there are fake DNS servers, that intercepts the communication and injects ads.

 

I am in Thailand and know nothing about the fake DNS servers - are you saying I'm using one? If so, how to stop doing that?

 

I'll do the other items now as best I can.

 

Thanks for advising on this as well, esp. the DNS issue, which I have no idea about.

 

I suppose I should test what's been done already as well, right? Though I'm afraid that being served these ads and redirections makes things worse - I guess it doesn't, though.

 

Best regards, Thanu

If you want to delete Combofix please open Command line (Start->Run) and promt a string in a dialog box " combofix /uninstall ". And please don't forget to clear browser cache!!!

Share this post


Link to post
Share on other sites

I tried to uninstall via command line; said not recognized.

 

I normally don't use IE - I just tried surfing & coincidentally or not (?) when I allowed Adobe Flash to run the Traffstock Ad Wizard popped up and the redirect page opened - vktarget.ru.

 

Don't know if that's a possible culprit or not.

 

More soon.

Share this post


Link to post
Share on other sites

3. I'm not sure about the DNS server, but usually people use the DNS server of their internet service provider.

When you have run FRST, as I wrote in #4, you change the DNS servers like this: http://www.sevenforums.com/tutorials/15037-dns-addressing-how-change-windows-7-a.html
In item #7 write down the current settings and then change to "Obtain DNS server...".

To clear the DNS cache:
Start menu - Accessories
Right-click on Command Prompt and select "Run as administrator".
Enter this command (end with Enter key): ipconfig /flushdns

Restart the computer.

Test the browsers.

If you can't reach web pages, please change DNS servers again to the values you wrote down.

Edited by CeciliaB

Share this post


Link to post
Share on other sites

I tried to uninstall via command line; said not recognized.

 

I normally don't use IE - I just tried surfing & coincidentally or not (?) when I allowed Adobe Flash to run the Traffstock Ad Wizard popped up and the redirect page opened - vktarget.ru.

 

Don't know if that's a possible culprit or not.

 

More soon.

 

Please read tutorial "How to use ComboFix" here. In the end you will find instructions how do remove a program. Next time don't allow to run suspicious Popups or keep from suspicios sites. First of all suspicious site can contain malicious flash applet, and the second normal site can be infected and include hidden iframes with malicious scripts.

About IE - you used Google Chrome and Firefox, please continue use them - just clear the cahce from the browsers. Maliciuos scripts could be stored in cache of your browser.

Share this post


Link to post
Share on other sites

The problem is persisting despite doing almost all the above.

 

I tried using the tool from Gmer.com, opened it, found the registry items, but didn't know how to delete them. No delete button, right click doesn't provide delete option, etc.

 

Flushed the DNS and it still loads pages OK; still has the ads and redirect issues also.

 

I hope you will have more suggestions after looking at my logfile report or something else.

 

Seems like a tricky bug to get rid of. Thanks for your help again very much - Thanu

Share this post


Link to post
Share on other sites

The problem is persisting despite doing almost all the above.

 

I tried using the tool from Gmer.com, opened it, found the registry items, but didn't know how to delete them. No delete button, right click doesn't provide delete option, etc.

 

Flushed the DNS and it still loads pages OK; still has the ads and redirect issues also.

 

I hope you will have more suggestions after looking at my logfile report or something else.

 

Seems like a tricky bug to get rid of. Thanks for your help again very much - Thanu

 

1. Gmer can only modify values in registry. You can erase (or left empty string ) a value and click save button.

2. Please clarify your problem.

  • Is this issue happens in all browsers?
  • Is it happens only on some sites or all websites?
  • How do you launch your browser? (From icon on a desktop, etc)
  • Does antivirus is on when you are surfing?
  • Do you allow to run some objects on a site?

Share this post


Link to post
Share on other sites

1. You can post the log from Gmer with your reply and you'll get more detailed instructions.

 

2. Please, scan with FRST and attach the new FRST.txt.

 

3. Run an online scan with Eset to get a second opinion (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your answer.

Share this post


Link to post
Share on other sites

Hello - It's now morning in Thailand. The problem occurs on all browsers on random sites. I've used my current installation of Windows several years now with no issues. I guess I allow Javascript - I didn't turn anything off. I launch browsers from taskbar shortcuts.

 

I may have been infected with a Filezilla update - I saw others complaining about malware in this regard.

 

For now, here's the Gmer report - I will carry on with ESET a bit later in hopes we can resolve this today.

 

Thanks again for your kind assistance - Thanu

 

 

 

 

gmer.log

Share this post


Link to post
Share on other sites

Good morning Thanu,

 

But here in Europe it's very very late.

 

1. Did you exit Chrome before running Gmer?

If not, please do that, but I can't see anything that seems to be malicious in the Gmer log, but let us see if Artem can.

 

2. Can you paste the link to the Filezilla update in your reply?

But please remove "http" from it.

 

3. Please, try to start the browsers from their own program folders instead, sometimes malware changes the shortcuts.

C:\Program Files\Internet Explorer\iexplore

C:\Program FIles\Mozilla Firefox\firefox

 

4. Do you have synchronization in Google Chrome or Firefox?

If yes, the bad add-ons and/or settings can be restored.

 

5. Is the DNS setting as you selected or has it been changed again?

 

6. Do Ad-Aware or Malwarebytes Anti-Malware find anything during full scans?

 

 

7. Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Report button.
A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[R0].txt.

Share this post


Link to post
Share on other sites

Here are a few reports for now.

 

I've been using IE the last hour and NO instance of problem / hijacker. Reckon it must be Chrome-related.

 

I removed more extensions, leaving only one, LastPass, for the time being.

 

No threats found by programs below.

 

Closed Chrome this time for Gmer report.

 

More later when Adaware finally finishes.

 

Thanks again - Thanu

gmer2-17Dec.log

MBAM17Dec-1.txt

AdwCleanerR13.txt

Share this post


Link to post
Share on other sites

Hi Thanu and all the wizards here,

 

First, let me ask you, Thanu; are you using ToT as your ISP?

 

I'm a retired computer-engineer living in Thailand, and I've recently experienced the exact same trouble with vktarget.ru. Using all my skills to crack this Russian nut, I couldn't and still can't escape this, and are still in the same frustrating situation as you are in (even my smartphone are affected). But, it is my opinion, that it is the ISP (ToT) that has been infected, and here's how I came to that conclusion:

 

1. Scanning with Ad-Aware and Spybot didn't come up with anything.

 

2. Adding vktarget.ru (and all the redirections) to my hosts file, pointing them to local-host (127.0.0.1) did fix most of the redirections, but of cause not the ones with random subdomains (as hosts doesn't support wildcards).

 

3. My DSL-router had my main DNS altered from the usual ToT (8.8.8.8) to a German GHOSTnet DNS-server (94.249.192.184). I suspected the router to be hacked, but I could change it back to 8.8.8.8, yet the problem persisted, which was the main tip pointing to ToT being infected.

 

Then also noticed that vktarget.ru was gone if I used a VPN on the PC, or used my mobile ISP (TrueMove H) instead of WiFi on my smartphone, hence my conclusion.

 

My skills are rusty, and I might be wrong - and I'd appreciate to be corrected by any of the wizards here.

 

/Loke

Edited by Loke

Share this post


Link to post
Share on other sites

Hi Loke - Great to see others joining in, though of course sorry to see you're likewise afflicted by this annoying pestilence.

 

Now, is my ISP TOT? Yes - and No. It was when the problem started a few days ago, but it is not now. For unrelated reasons (speed), I just switched to 3BB up here in northeast Thailand.

 

And so it seems the situation gets curiouser and curiouser – and we may come to a definitive verification of your hypotheses before too long, seeing as I don’t plan on plugging my TOT router back in anytime soon.

 

But I haven’t been surfing much since I switched this morning, and so cannot give you any feedback yet. But I plan to start doing so shortly, and then we can continue this, and see what pops out.

 

But wouldn’t many more folks here in Thailand be afflicted with this? Why aren’t we hearing more about this nasty hijacker?

 

I must say I was very surprised when the Mod here mentioned Germany showing up as my DNS, but if what you say is true, then we’re – you’re – definitely on to something.

 

I’ll post more soon – and hope my problem begins to fade away!

 

And why haven’t you changed ISPs yet?

 

- Thanu

Share this post


Link to post
Share on other sites

I have a winter-residence on Koh Chang, and unfortunately here we are all stucked with ToT, while eagerly waiting for AirNet rolling their fiber out village by village. In Khon Kaen, where I do reside in the summer-months, there I'm using 3BB as well. Why not many have complained; well, not many foreigners are using ToT in Thailand - of reasons that are obvious (throttling international traffic being not the only but the main reason). This problem is quite new (14+ days), and last but not least; I guess most people have become somewhat used to having pop-ups interfere with their browsing, and the Adblock plus plug-in can get rid of many pop-ups, also vktarget.ru (if point'n'clicking on those manually).

Share this post


Link to post
Share on other sites

Good answers, though I don't get this: the Adblock plus plug-in can get rid of many pop-ups, also vktarget.ru (if point'n'clicking on those manually).

 

What does it mean? You must click on them with AdBlock enabled to make them go away?

 

Anyway, it's only been 15 minutes, but I'm hoping ... nothing yet.

 

Will update you all in a bit.

 

Hopefully, searchers can now find this topic if they use the terms I put in to the thread title - but I don't want to rush things and be disappointed.

 

Thanu

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this