Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help with go.redirectro.com malware on Chrome


  • This topic is locked This topic is locked

#1
wyrfxrssn

wyrfxrssn

    New Member

  • Member
  • Pip
  • 4 posts

I started having some issues with Chrome the other night: when I google something, the URL displays go.redirectro.com and searches the internet with what looks like a fake Yahoo search (to be fair I haven't used Yahoo since like Y2K so I don't know what a Yahoo search looks like). When a page is loaded, clicking will occasionally reopen the page in a new tab and the old tab will load a spam page. It feels like I've tried everything to get rid of the issue. I uninstalled some fishy-looking programs, scanned with AVG, Malwarebytes, AdwCleaner, and the Chrome Cleanup Tool, and reinstalled Chrome, restarting several times throughout the process, but still no dice. It doesn't effect Firefox but I do everything in Chrome and would rather solve the issue than ignore it.
 
I installed and ran the Farbar Recover Scan Tool and ran it and my results are attached. Any help would be greatly appreciated!

 

 

Attached Files


  • 0

Advertisements


#2
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,652 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)

Next

Download AdwCleaner from here. Save the file to the desktop.
NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.
Close all open windows and browsers.
  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:
  • iO5EZayK.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
  • adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt
  • Next
  • Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts. See Here how to disable you security protection (Anti Virus)
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
  • After further review I see that you ran those programs above. Run them once more an post the log files.


    Next

    A few items to fix
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Open notepad (Start =>All Programs => Accessories => Notepad).
    Copy/Paste the contents of the code box below into Notepad.
    start
    CloseProcesses:
    CreateRestorePoint:
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
    SearchScopes: HKLM -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = 
    SearchScopes: HKLM -> {6122BF9D-A333-417E-B4E7-35CDB48DB3D8} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
    SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
    SearchScopes: HKU\S-1-5-21-2727595699-1335264708-1319002134-1001 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = 
    SearchScopes: HKU\S-1-5-21-2727595699-1335264708-1319002134-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
    Toolbar: HKU\S-1-5-21-2727595699-1335264708-1319002134-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
    C:\ProgramData\fontcacheev1.dat
    2016-07-15 21:51 - 2016-07-15 21:51 - 0000000 _____ () C:\Users\wyrfxrssn\AppData\Local\Temp\GUR7737.exe
    2014-01-19 19:52 - 2010-05-21 17:38 - 0074808 _____ (Hewlett-Packard) C:\Users\wyrfxrssn\AppData\Local\Temp\HPHelpUpdater.exe
    2015-11-08 22:30 - 2015-09-28 09:08 - 0594448 _____ (Hewlett-Packard) C:\Users\wyrfxrssn\AppData\Local\Temp\HPSFUpdater.exe
    2017-04-20 04:36 - 2017-04-20 04:36 - 0739904 _____ (Oracle Corporation) C:\Users\wyrfxrssn\AppData\Local\Temp\jre-8u131-windows-au.exe
    2017-07-27 04:36 - 2017-07-27 04:37 - 0740416 _____ (Oracle Corporation) C:\Users\wyrfxrssn\AppData\Local\Temp\jre-8u144-windows-au.exe
    2013-10-02 15:53 - 2013-10-02 15:53 - 49662160 _____ (Microsoft Corporation) C:\Users\wyrfxrssn\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
    2010-03-15 21:11 - 2010-03-15 21:11 - 0149352 ____R (Microsoft Corporation) C:\Users\wyrfxrssn\AppData\Local\Temp\ose00000.exe
    2014-09-23 22:22 - 2014-09-23 22:22 - 0010752 _____ () C:\Users\wyrfxrssn\AppData\Local\Temp\PlaySound.dll
    2014-01-19 19:52 - 2012-05-04 02:24 - 0031616 _____ (Hewlett-Packard Company) C:\Users\wyrfxrssn\AppData\Local\Temp\Resource.exe
    2013-09-16 09:45 - 2014-02-12 14:24 - 0004133 _____ () C:\Users\wyrfxrssn\AppData\Local\Temp\SearchProtectionSetup.exe
    2014-01-16 01:01 - 2014-01-16 01:01 - 2578736 _____ (Hewlett-Packard Company                                     ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP56478.exe
    2014-01-17 09:32 - 2014-01-17 09:32 - 2264112 _____ (Hewlett-Packard                                             ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP56750.exe
    2012-06-30 13:34 - 2012-06-30 13:34 - 144895440 _____ (Hewlett-Packard                                             ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP56904.exe
    2013-06-04 02:20 - 2013-06-04 02:20 - 4022944 _____ (Hewlett-Packard Company                                     ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP56929.exe
    2013-07-19 20:02 - 2013-07-19 20:02 - 23478616 _____ (Hewlett-Packard Company                                     ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP57538.exe
    2013-07-11 21:51 - 2013-07-11 21:51 - 6594568 _____ (Hewlett Packard Inc                                         ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP57698.exe
    2013-05-09 08:48 - 2013-05-09 08:48 - 45042944 _____ (Hewlett-Packard                                             ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP57966.exe
    2013-07-28 17:37 - 2013-07-28 17:39 - 41580520 _____ (Hewlett-Packard                                             ) C:\Users\wyrfxrssn\AppData\Local\Temp\sp58915.exe
    2013-07-12 02:48 - 2013-07-12 02:48 - 6709496 _____ (Hewlett-Packard Company                                     ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP60051.exe
    2013-06-24 08:58 - 2013-06-24 08:58 - 9982176 _____ (Hewlett-Packard                                             ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP61037.exe
    2013-08-29 04:38 - 2013-08-29 04:38 - 6844168 _____ (Hewlett-Packard Company                                     ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP62991.exe
    2013-10-25 10:58 - 2013-10-25 10:58 - 6879392 _____ (Hewlett-Packard Company                                     ) C:\Users\wyrfxrssn\AppData\Local\Temp\SP63801.exe
    2014-01-17 08:49 - 2014-01-17 08:49 - 44799704 _____ (Hewlett-Packard                                             ) C:\Users\wyrfxrssn\AppData\Local\Temp\sp64126.exe
    2013-09-17 09:42 - 2013-10-01 09:48 - 4728320 _____ (Spotify Ltd) C:\Users\wyrfxrssn\AppData\Local\Temp\SpotifyUninstall.exe
    2017-07-29 05:02 - 2017-07-29 05:02 - 1199825 _____ () C:\Users\wyrfxrssn\AppData\Local\Temp\unins000.exe
    2014-05-07 17:58 - 2014-05-07 17:32 - 2030104 _____ (AVG Technologies) C:\Users\wyrfxrssn\AppData\Local\Temp\UNINSTALL.EXE
    2013-07-28 17:39 - 2015-09-28 10:36 - 0144912 _____ (Hewlett-Packard Company) C:\Users\wyrfxrssn\AppData\Local\Temp\UninstallHPSA.exe
    ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    Task: {882DDFC6-C2C0-40B1-B3B6-869EECDBD4CE} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
    CMD: bitsadmin /reset /allusers
    CMD: netsh winsock reset catalog
    CMD: ipconfig /flushdns
    RemoveProxy:
    hosts:
    Emptytemp:
    
    [list]
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
  • Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

  • 0

#3
wyrfxrssn

wyrfxrssn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

I followed your instructions step by step and the logs you requested are attached. There are a few AdwCleaner logs cuz I ran it a few times so I'll include the newest one.

Attached Files


  • 0

#4
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,652 posts
Hello,

If Chrome is still acting up we will need to reinstall Chrome in this manner.

Uninstall / reinstall Chrome

1.Close all Chrome windows and tabs.
2.Go to the Start menu > Control Panel. (Windows 8 users: Learn how to access the Control Panel)
3.Click Programs and Features.
4.Double-click Google Chrome.
5.Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete your browsing data" checkbox.

If you have Bookmarks that you want to save, you want to do that first.

Export / Import Bookmarks. https://support.goog...wer/96816?hl=en

Then reinstall Chrome from here-->http://www.google.com/chrome/
  • 0

#5
wyrfxrssn

wyrfxrssn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Looks like it worked. Thanks a bunch for the help!


  • 0

#6
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,652 posts
Hello,

We need to remove the tools we used and then close the topic.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

Why we need to remove some of our tools:
Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight. They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.


Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report.
    Paste it for my review.

  • 0

#7
wyrfxrssn

wyrfxrssn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

The DelFix log is attached hey


  • 0

#8
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,652 posts
I don't see the log, but I'm not to worried about it.

If there are no further issues. I'll close the topic.

Thanks for using the forum today for your computer needs.
  • 0

#9
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,652 posts
You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

Safe Computing Practices please read Here


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Thanks
Joe :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP