Annoying bug.

GTP

GTP

Well-Known Member
Reaction score
9,852
Location
Adelaide, Australia
Have a client with a Samsung Laptop. Nice unit with i7, 8GB ram tb Hdd Win 10 etc, but an annoying bug keeps coming back.
screenshot20170419055855.png

I initially scanned with Malwarebytes (client had already bought and installed paid version 3. something) it found nothing.

Scanned with Emsisoft Antimalware Rescue CD found Apllication.adware.toolbar and W32Troj.cryxos.e and removed them.

Scanned with Bitdefender Rescue from a live USB found w32.Troj.Cryxos.a and quarantined it.

Cleaned out all temps, removed any and all unneeded software, cleaned out Appdata folder of all residual junk, prowled through registry looking for anything strange, etc.
Ran CCleaner and System Ninja to cleanup junk files/startup entries.
Removed Google Chrome, and Firefox and installed Opera. Tested on internet and it pops up again??!
Removed Opera and reinstalled FF, tested, same thing!
Removed FF and reinstalled Chrome, same result!
Didn't try EDGE or IE.

What am I missing?
 
When you say 'tested on internet' , do you mean 'fired up a browser and it came back'? I've had one before that installed itself as a FF add-on (also infected Chrome and IE, presumably at the same time). Took an age to track down - simply because I just didn't think to check there. But all AV ignored it, presumably thinking that an add-on is there by design and with the owner's consent. Not sure this quite fits your circumstances, but a quick and easy thing to check.
 
I installed Opera "plain-jane" and it appeared straight away.
I did check and remove any and all extensions from Chrome and FF before I completely removed both browsers.
It appeared after I reinstalled both Chrome and FF minus any extensions.
It's possible Chrome and FF picked up previous settings on the reinstall?
Thing is I've done dozens of these type of infections and they get removed easily enough.
This one just keeps coming back!
 
Yeah - I think FF, at least, will often re-inherit stuff from previous installations unless you completely remove it. What happens in safe mode? I came* a malware remover called 'Plumbytes' recently which touts itself as a successor to ComboFix. It's a commercial (i.e not free) product, but with the trial version you can runs a scan which shows you what it's found. Armed with that knowledge, so you know where to look, you might be able to manually get rid of whatever it is.

* 'came across' - typo
 
Last edited:
Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs...
 
Barcelona said:
Have a client with a Samsung Laptop. Nice unit with i7, 8GB ram tb Hdd Win 10 etc, but an annoying bug keeps coming back.
View attachment 7306

I initially scanned with Malwarebytes (client had already bought and installed paid version 3. something) it found nothing.

Scanned with Emsisoft Antimalware Rescue CD found Apllication.adware.toolbar and W32Troj.cryxos.e and removed them.

Scanned with Bitdefender Rescue from a live USB found w32.Troj.Cryxos.a and quarantined it.

Cleaned out all temps, removed any and all unneeded software, cleaned out Appdata folder of all residual junk, prowled through registry looking for anything strange, etc.
Ran CCleaner and System Ninja to cleanup junk files/startup entries.
Removed Google Chrome, and Firefox and installed Opera. Tested on internet and it pops up again??!
Removed Opera and reinstalled FF, tested, same thing!
Removed FF and reinstalled Chrome, same result!
Didn't try EDGE or IE.

What am I missing?
Click to expand...
It's not a browser problem then. Something in the network chain. Hosts maybe? proxy? scheduled tasks...
 
Are you sure you uninstalled everything that is not needed. Many times tiny programs are installed with names that make them look like something else. I know I have seen this updateyourprograms.xyz domain and it was something installed somewhere, I just cant recall what.
 
Client is bringing it back tomorrow.
I thought after Malwarebytes found nothing, running Emsisoft and Bitdefender found a couple of things that would have cleaned it out?
I think I'll run Metadefender Cloud and prowl the registry and hosts file for updateyourprograms.xyz.
I might try Hijack This as well. It's an oldie but a goodie. Could try Zemana as well if I've got time.

Edit/ Just doing some "googleing" seems that it lives in the hosts file, so I'll look there first. Also plenty of sites recommend FreeFixer for removal.
I've got @AlexCa Windows Repair Toolbox that has a lot of these tools so I'll fire that up.
I'll report findings here:)
 
NYJimbo said:
Are you sure you uninstalled everything that is not needed. Many times tiny programs are installed with names that make them look like something else. I know I have seen this updateyourprograms.xyz domain and it was something installed somewhere, I just cant recall what.
Click to expand...
Yes, pretty sure. There wasn't a lot on it anyway. Everything left installed is known programs like Office, iTunes audio and network drivers nVidia etc
 
glennd said:
It's not a browser problem then. Something in the network chain. Hosts maybe? proxy? scheduled tasks...
Click to expand...
Yes, good points, I'll check them as well when I get access to it tomorrow.
I played with it most of the afternoon after scanning/cleaning it and no sign of it but client rang about 7.30 saying it was back :(
 
Unless I missed it : control panel -> Internet Options
Check everything, esp plugins, search engines, advanced settings. Manually reset everything to defaults.

Its also possible more than one thing is doing it so clearing one thing looks like you addressed it but then on a reboot or running something you wake it back up and it sets back what you cleared out. scheduled tasks, startup, who knows what.

Also when you get this page in CHROME, note the little icons to the right of the URL. Also check history at that point (3 dots at right, then HISTORY, then on the left click HISTORY again, that should show you every page loaded in sequence.

I dont like that URL showing www.google.com.au as some kind of variable.

Install adblock plus, restart chrome, see if it clues you into anything.
 
Last edited:
Does this come up randomly or only when using google search or something else specific. If only on search, try bing or yahoo see if it triggers.

If only google search, try setting default google search to the US address and see if that issue goes away:
 
You must log in or register to reply here.

Similar threads

Appletax
[SOLVED] Intel Rapid Restore Driver Causes BSOD - DRIVER_POWER_STATE_FAILURE
Replies
3
Views
770
Appletax
Appletax
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
3K
GTP
GTP
Erratic
Macbook Air 10,1 M1 Screen replacement using Self Service Repair (Mac is now bricked)
Replies
7
Views
1K
sapphirescales
sapphirescales
HCHTech
Win10 - setup with 4TB data drive
2
Replies
20
Views
4K
HCHTech
HCHTech
S
Keyboard woes
Replies
9
Views
2K
sorcerer
S
Back
Top