Browncoat Posted May 15, 2015 Posted May 15, 2015 (edited) It is driving me up the wall.Affecting my favourite download manager {MegaManager} & before you say anything I know Megaupload is dead, saw it in the news, but if you skip the login page and go to the downloads tab, it works as usual.I liked the simple interface, the speed indicator etc.Wasted 30 hours on the **** thing, none of the half-dozen or so malware utilities are detecting it, waiting for friggin scans that go nowhere.Isn't there a tool that would let me plug the name, if i know what the pest is... [it left an URL in a Firefox tab, that is/was blank because of all the other measures I've taken] on MM startup though, it would open a FF window, no toolbar and a bunch of script dialogues [if FF portable wasn't already running, yes i prefer the portable versions]....then hunt and kill the pest? Even the much vaunted Malwarebytes couldn't find it.Spyhunter 4, waited 100 minutes for a scan, didn't find the little bugger, but it found everything else, including my KMSservices (harmless, which i want to be left alone) but at least it lets you uncheck what you want to keep, however, after telling it to remove, it holds you hostage, wants 60 bucks CDN to clean your machine, why don't I just drop trow and bend over? It'd be a lot more honest. My nerves are shot, it usually takes me less than an hour to rid myself of code pests. My temporary solution was to disable the FF integrator [though a previous test showed it wasn't a problem] in add-ons and un-install MegaManager [but for now i retained the history, which i can dump later] and install Free Download Manager Portable (or just FDM, as referred to in lit) and it's FF integrator, then pray it doesn't fall to the same fate. Though'zeroredirect1.com'is still there, embedded.A previous un-install and re-install of MM didn't work. Thought replacing with a virgin copy would work. What do you think? Edited May 19, 2015 by Browncoat
jaclaz Posted May 15, 2015 Posted May 15, 2015 Depending on the OS you are running suitable tools are usually HijackThis: http://sourceforge.net/projects/hjt/ and ComboFix: http://www.bleepingcomputer.com/download/combofix/ But wouldn't this (specific) set of (manual) instructions do? http://www.anvisoft.com/resources/how-to-remove-za-zeroredirect1-com-popups-adware-removal-guide/ Adwcleaner is said to be detecting and removing it: https://toolslib.net/downloads/viewdownload/1-adwcleaner/ http://malwaretips.com/blogs/zeroredirect1-com-removal/ However make sure (as always) to have a valid backup/recovery solution tested, you never know. As a side not there are quite a few reports about the Spyhunter thingy to be what I would call a "dangerous" tool, that in more then one case has managed to additionally make a system unbootable, make sure that you have properly removed/uninstalled it. jaclaz
Browncoat Posted May 15, 2015 Author Posted May 15, 2015 Depending on the OS you are running suitable tools are usually HijackThis:http://sourceforge.net/projects/hjt/and ComboFix:http://www.bleepingcomputer.com/download/combofix/But wouldn't this (specific) set of (manual) instructions do?http://www.anvisoft.com/resources/how-to-remove-za-zeroredirect1-com-popups-adware-removal-guide/ Me: think I read it already, will follow link when i have time.Adwcleaner is said to be detecting and removing it:https://toolslib.net/downloads/viewdownload/1-adwcleaner/ Me: that was the first I tried..no success but may try again tomorrow.http://malwaretips.com/blogs/zeroredirect1-com-removal/ Will read tomorrow.However make sure (as always) to have a valid backup/recovery solution tested, you never know.As a side not there are quite a few reports about the Spyhunter thingy to be what I would call a "dangerous" tool, that in more then one case has managed to additionally make a system unbootable, make sure that you have properly removed/uninstalled it. Me: Spyhunter got the boot after it failed.jaclazWell, yes, after each failure I un-installed with either AppRemover [targets stubborn A-V ware] or CCleaner's tool.Wallowing in Poverty, i used up all my drives in this workstation, have nothing to put anything on but my data drives are clean.The pest is contained in MM, no aberrant behaviour all afternoon.Get most of my stuff at MajorGeeks, going down the list.
NoelC Posted May 17, 2015 Posted May 17, 2015 For what it's worth - and I know this doesn't help after the fact - a couple of URLS for that domain are blocked by the MVPS hosts file. See also: http://www.msfn.org/board/topic/173660-anti-malware-suggestions/ -Noel
Browncoat Posted May 17, 2015 Author Posted May 17, 2015 (edited) I have administrator rights, but the command box doesn't look like yours.Since the Atari ST I've lost command line skills, doesn't respond to fgrep. I opened my hosts file in notepad, all 127.0.0.1 no 0.0.0.0 like yours.Entries made by spybot S&D With the antimalware I've downloaded, I think i got rid of it.Gave AdwCleaner and Malwarebytes Free another chance, lots of 'PUP'sbut no 'PUM's Got rid of MM and its' integrator extension, using FDM and its' FF integrator now.So far, so good. Edited May 17, 2015 by Browncoat
NoelC Posted May 17, 2015 Posted May 17, 2015 Sorry, fgrep is a tool I get from the Gnu Toolkit. That doesn't come with Windows. The MVPS hosts file I mentioned is obtained here: http://winhelp2002.mvps.org/hosts.htm The intent is to redirect URLs to known parasite/badware/adware web sites to an IP address that cannot work. I do not suggest disabling the DNS Client service. Adding those entries to your hosts file could block further infections. It seems to me there are/were problems with using 127.0.0.1 instead of 0.0.0.0 though I've forgotten what they are. -Noel
Tarun Posted May 18, 2015 Posted May 18, 2015 Browncoat, please refer to this pinned topic and let's get your pc checked in to. Hosts file won't fix any infections. The hosts file is being misused to block malware and advertisements, this is not a solution or prevention, sadly. The hosts file should be mostly empty except for the defaults or any entries to websites you're having trouble reaching. There's a wiki article about how to Block Malware and Advertisements Safely. For our members and visitors, be sure to whitelist MSFN to show support.
Browncoat Posted May 18, 2015 Author Posted May 18, 2015 (edited) Well, it won't be seeking megaupload.comanytime soon.it was only doing its adware thing when i opened the MegaManager downloader, probablyduring the login page, which I usually ignore, jumping to the downloads tab. plus every 10 minutes.that has been replaced with FDM. http://www.majorgeeks.com/files/details/anti_malware_toolkit.htmlhasn't had an update since 2010 but will try it out tomorrow, but the other stuffsays I'm clean now. I'm not a noob, just forgot a lot of stuff since 1980, like if you don't use it, you lose it.Do that other stuff tomorrow, gotta make supper.... Edited May 18, 2015 by Browncoat
Browncoat Posted May 18, 2015 Author Posted May 18, 2015 (edited) Fellas, don't fight, all I gotta do is stay away from the site of the original infection.It is adware, though revealed it knew my I.P. and the name of my town, amateur tricks, really. Anyhooo... the site you quoted in your pinned post has no pointers to the kit but does to something I've already installed over the weekend. http://www.lunarsoft.net/software/malwarebytes-anti-malware-2-1-6 Edited May 18, 2015 by Browncoat
Tarun Posted May 18, 2015 Posted May 18, 2015 Browncoat, I checked the links and I believe I've found and fixed the issue for the Anti-Malware Toolkit. Previously it was bringing you to the download directory and the Anti-Malware Toolkit was listed right there. Thanks for bringing it to my attention. Once you run through the PC Cleanup guide, post your HijackThis log in some codebox bbcode tags, and if need be other logs may be requested. I'll get your computer all cleaned up.
Browncoat Posted May 18, 2015 Author Posted May 18, 2015 (edited) I am not concerned about the 'file missing' entries, as I'm running a customised Win7[ultimate],when left alone, my Win7 runs smoothly, more problems are caused by bad updates, rather than zeroredirect1, and as for the WMP entry, I use KMPlayer on the desktops, VLC Portable elsewhere.Logfile of Trend Micro HijackThis v2.0.5Scan saved at 20:36:58, on 5/18/15Platform: Windows 7 SP1 (WinNT 6.00.3505)MSIE: Internet Explorer v11.0 (11.00.9600.17801)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Program Files\AVG\AVG2015\avgui.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\TinyWall\TinyWall.exeC:\Program Files\LanLights\LanLights.exeC:\Windows\system32\taskmgr.exeP:\PortableApps\PortableApps.com\PortableAppsPlatform.exeP:\PortableApps\FreeDownloadManagerPortable\FreeDownloadManagerPortable.exeP:\PortableApps\FreeDownloadManagerPortable\App\FreeDownloadManager\fdm.exeP:\PortableApps\FirefoxPortable\FirefoxPortable.exeP:\PortableApps\FirefoxPortable\App\firefox\firefox.exeP:\PortableApps\FirefoxPortable\App\firefox\plugin-container.exeC:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exeC:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exeP:\PortableApps\ThunderbirdPortable\ThunderbirdPortable.exeP:\PortableApps\ThunderbirdPortable\App\thunderbird\thunderbird.exeX:\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = PreserveR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sevenforums.com/tutorials/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLLO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLYO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [TinyWall Controller] C:\Program Files\TinyWall\TinyWall.exeO4 - HKLM\..\Run: [LanLight] C:\Program Files\LanLights\LanLights.exe -SILENTO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')O8 - Extra context menu item: Download all with Free Download Manager - file://P:\PortableApps\FreeDownloadManagerPortable\App\FreeDownloadManager\dlall.htmO8 - Extra context menu item: Download selected with Free Download Manager - file://P:\PortableApps\FreeDownloadManagerPortable\App\FreeDownloadManager\dlselected.htmO8 - Extra context menu item: Download video with Free Download Manager - file://P:\PortableApps\FreeDownloadManagerPortable\App\FreeDownloadManager\dlfvideo.htmO8 - Extra context menu item: Download with Free Download Manager - file://P:\PortableApps\FreeDownloadManagerPortable\App\FreeDownloadManager\dllink.htmO11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphicsO18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLO23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgidsagent.exeO23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgwdsvc.exeO23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeO23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exeO23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exeO23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeO23 - Service: TinyWall Service (TinyWall) - Károly Pados - C:\Program Files\TinyWall\TinyWall.exe--End of file - 5358 bytes Edited May 19, 2015 by Browncoat
Tarun Posted May 19, 2015 Posted May 19, 2015 Your version of HijackThis is out of date. If you don't need Java for anything, get rid of it. You may want to switch from AVG to avast. And what do you mean by "customized" Windows?
Browncoat Posted May 19, 2015 Author Posted May 19, 2015 1) same difference, posted wrong log previously.2) no way, I found Avast to be a P.I.T.A. even though the 2000Pro power users here, like tomas86, use it to keep 2000 running, including myself until I got tired of all the fiddling.3) Java disabled a long time ago in FF4) N.O.Y.B.
NoelC Posted May 19, 2015 Posted May 19, 2015 Avast has changed within the last year from a decent AV to a bloated mass that assumes the system exists just to run Avast. -Noel
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now