Browser Hijack

[Creative Name]

I left town for a couple days (left my computer on) and when I returned I started getting Google searches redirected to Bing and frequently get redirected to https ://myattwg.att.com:8083/olam/jsp/login/uverse/VS/UverseAccount.html.

I need help reso;ving the myattwg problem and thank you in advance.

I can't get the FRST.txt to attach

 

[Creative Name]

Here is the file

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I suggest your remove this program in bold using the Control Panel > Programs > Programs and Features...
CPUID CPU-Z 2.08 (HKLM\...\CPUID CPU-Z_is1) (Version: 2.08 - CPUID, Inc.)

It's been Identifies as Malicious. Read about it.

Malware analysis cpu-z_2.08-en.exe Malicious activity | ANY.RUN - Malware Sandbox Online

Online sandbox report for cpu-z_2.08-en.exe, verdict: Malicious activity

any.run

===

You should also delete the filles if you decide to remove it.
2023-10-29 21:55 - 2023-10-29 21:55 - 002220768 _____ (CPUID, Inc. ) C:\Users\Owner\Downloads\cpu-z_2.08-en.exe
2023-10-29 21:55 - 2022-02-20 21:06 - 000000914 _____ C:\Users\Public\Desktop\CPUID CPU-Z.lnk

p.s.
If you decide to download a new version I suggest you scan the download file at Virus Total.
Follow the directives on this site.

VirusTotal

VirusTotal

www.virustotal.com

<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

[Creative Name]

I tried to load this website, Freefall 01358 December 20, 2006
Got redirected to https:// myattwg.att . com:8081/olam/jsp/login/uverse/VS/UverseAccount.html

tried to load-
Reset Password | ActiveBuilding (an expired password reset link)
from an email link and got redirected to
https:// myattwg.att . com:8082/olam/jsp/login/uverse/VS/UverseAccount.html
In the first case, I can't continue reading a web comic I enjoy, in the second case I can't log a maintence request for my apartment online.
I'm also getting the myatt redirect on my Android phone

 

[nasdaq]

Hi,

If the problem persists and you are Syncing Edge with other devices reset it.

How to:

Turn On or Off Sync Microsoft Edge Settings across Windows 10 Devices

How to Turn On or Off Sync Microsoft Edge Settings across Windows 10 Devices

www.tenforums.com

Restart the computer to remove all traces.

If the problem persists and Chromium Edge is Synced with other devices disable it.

Open Microsoft Edge.
Click the Settings and more (three-dotted) button from the top-right.
Click the Settings option. ...
Click on Profiles.
Click the Sync option. ...
Click the Turn off sync button.

Restart the computer.

You can reset the Sync when all is well.

If the problem persists with the computer please scan the computer with the Farbar program and post fresh logs for my review.

p.s.
If you have an other Browser installed find out if the problem is also showing up.

If all fails execute this.

There is a Search Files button on the FRST Console (farbar tool). To search for files you can type or copy and paste the names you wish to search for into the Search box. Wild cards are allowed like afd.sys*

type the following in the search box.

myattwg.att.com;mayattwg.att*

Click the SearchFile button.

Post the log for my review.

 

[Creative Name]

I do not use Edge, but I turned off sync for the browsers I use, restarted and still have the problem. Frst logs below.

I don't know if this is a problem, but when I run the Farbar program, I get

followed by


I searched for myattwg.att.com;mayattwg.att* and for just myattwg and did not find either.

 

[nasdaq]

Hi,

Remove and re-install Firefox it may be compromised.

Navigate to this page.

Follow all the directives

Troubleshoot and diagnose Firefox problems | Firefox Help

You can then reinstall Firefox if you want it.

p.s.
This process will not remove your Firefox profile data (such as bookmarks and passwords), since that information is stored in a different location.
Follow the suggested directives.
<<<>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

[Creative Name]

still going here

https://myattwg.att.com:8084/olam/jsp/login/uverse/VS/UverseAccount.html

when I try to go to

Freefall 4045 April 5, 2024

 

[nasdaq]

Hi,

For some unknown reason this command has failed in the FIX.


Launch Notepad, and copy/paste all the blue instructions below to it.
Save[/b ]to: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

If the problem persists run this scan.

Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

• Right-click the icon and select Run as administrator.[/*]
• Click Yes to accept any security warnings that may appear.[/*]
• Click the Next button.[/*]
• Select 'I accept the terms in the license agreement', then click Next twice.[/*]
• Click the Install button and wait until the installation is complete.[/*]
• Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.[/*]
• Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.[/*]
• Click Yes to accept any security warnings that may appear.[/*]
• After it updates and a "Start Scanning" button appears in the lower right:
  • Disconnect from the Internet or physically unplug your Internet cable connection.[/*]
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.[/*]
  • Temporarily disable your anti-virus and real-time anti-spyware protection.[/*]
  [/*]

• Click the "Start Scanning" button in the lower right to start the scan.[/*]
• After starting the scan, do not use the computer until the scan has completed.[/*]
• When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.[/*]
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.[/*]
• If any threats are found click Details, then View Log file (bottom left-hand corner).[/*]
• Copy and paste its contents in your next reply and note any errors encountered.[/*]
• Close the Notepad document, close the Threat Details screen, then click Start cleanup.[/*]
• Click Exit to close the program.[/*]
• If no threats were found, please confirm that result.[/*]

Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log

Please post the contents of the log in your next reply and note any errors encountered.
===

 

[Creative Name]

Tried all above, still borked

 

[nasdaq]

Hi;

Please run the Farbar program again and post fresh logs.

p.s.
If Edge is installed t not being use check the Sync as previously suggested and delete it.
Restart the computer normally when done.

 

[Creative Name]

I turned sync off on all browsers

 

[nasdaq]

Hi,

The culprit has shown it's ogly head groovorio.com

Edge StartupUrls: Default -> "hxxps://www.google.com/","hxxp://groovorio.com/ <-----
___

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

[Creative Name]

me aiming at hackers and spammers

groovorio.com may be a culprit, but it is not the culprit in this case. I'm still having that dratted hxxps://myattwg.att.com: redirect

 

[Creative Name]

I solved the issue with a free trial to Spyhunter. The product is grossely over priced at $72/3 months, but it did the trick.

 

[nasdaq]

Hi,

Good work.

I will leave this topic open for a few days. If any issues please call.