Common fixes not working against redirects, hijacks, and popups

[Capt Peaches]

I went to free tv project to stream the prison war episode of Walking Dead this
season (1 month ago), and got trapped in an endless stream of malicious windows, 99%
sure this is the source of my computer's issues. Initially the symptoms were hijacked
windows and pop-ups, but now the computer has ad-ware, coupons, and other weird
windows popping up non-stop.

Hijacked windows, hijacked pop-ups (for instance, a log-in form for my bank or a
store locator for my grocery store search gets hijacked by an advertisement),
redirects, and coupons/price matching/best deals/etc. chilling out in all-too
convenient pull out windows.

I followed the instructions here on MalwareTips to remove nym1 ib adnxs com because
my Chrome browser identified that virus, but none of the software in that guide found
any malicious files. I have also checked the extensions in Chrome for the Right
Coupon pop-outs I saw on a trusted retail site, but Right Coupon does not appear in
the extensions list. I'm at a loss here.

 

[TwinHeadedEagle]

Hi,


Please download zoek.zip or zoek.rar by smeenk (

) from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:
  
  

  createsrpoint;
  gpt.ini;z
  C:\Windows\System32\GroupPolicy;v
  C:\Windows\SysWOW64\GroupPolicy;v
  StandardSearch;
  emptyfolderscheck;
  installer-list;
  installedprogs;
  uninstall-list;

• Click on
  
  button.
  Please wait until a logreport will open (this can be after reboot)
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"

 

[Capt Peaches]

Thanks TwinHeadedEagle!

 

[TwinHeadedEagle]

Re-run Zoek again with the script below:

C:\Windows\System32\GroupPolicy\Machine;fs
C:\Windows\System32\GroupPolicy\User;fs
C:\Windows\System32\GroupPolicy\gpt.ini;f
C:\Windows\SysWOW64\GroupPolicy\gpt.ini;f
C:\ProgramData\WiAtchItNoaAds;fs
C:\ProgramData\jmcobkpgedmnhenmdnfgplfbhefkalhn;fs
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
C:\\PROGRA~2\\SSSUPP~1;fs
eeedgkpknpkndjednpfdggfnbgemeebh;chr
jglckfaohijblpfdabondpkogfmbflmh;chr
mijhajnnlekeifpmejceaeebegdcipan;chr
mndnfdhejmmikhmgjloohbodpnbdmldl;chr
jmcobkpgedmnhenmdnfgplfbhefkalhn;chr
autoclean;
emptyalltemp;
emptyclsid;
ipconfig /flushdns;b

 

[Capt Peaches]

As instructed...

 

[TwinHeadedEagle]

How is the situation now?

Let's run another tool, for final check:


Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

• Press Start Scan
• If Suspicious object is detected, the default action will be Skip, click on Continue.
• If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

 

[Capt Peaches]

TDSSKiller came back with no threats detected, although it hadn't detected any threats even when they were there prior. HOWEVER, I visited a few retail website and the coupon/deal pop-ups did not come back! Super stoked about that!

Furthermore, I went back to the bank site whose legit pop-up window was being hijacked and that too worked as it should, no takeover there either! Again, very satisfied with these results.

Thank you VERY much TwinHeadedEagle!

 

[TwinHeadedEagle]

Glad to hear it

I can recommend you this software to avoid Adware in the future:

http://unchecky.com/

Read here how it works --> http://www.howtogeek.com/179758/how-to-avoid-junkware-offers-with-unchecky/


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.