I keep being redirected through "find-all-you-want.com"

ust4ever

Honorable
Jun 24, 2013
18
0
10,570
4
Hi all, having some difficulty with a nasty bit of (what i think is) malware that frequently redirects me to advertisements and illegitimate retail websites (usually when I'm shopping online).

I have run scans with AVG and Malwarebytes Anti-Malware, both of which returned no suspicious items.
I have looked through my extensions etc, nothing there either.
Problem occurs on multiple browsers.

Anyone have any experience with this virus? Know how to remove it?


Thanks,
Adam
 

thently

Distinguished
May 10, 2007
97
0
18,610
9
Ever used combofix from a website called bleepingcomputers.com it has saved my several times. Also make sure your browser is not using a proxy.Gear/internet options/connections/Lan Settings. Thats the location for IE. Also in IE goto Gear/Internet options/Advanced/ and hit both restore advanced settings and the reset right below that. This seem to fix allot of issue I run into after having malware.

Thent
 

ust4ever

Honorable
Jun 24, 2013
18
0
10,570
4


Here's the JRT log, I'll post the Adwcleaner log once I've done it. JRT detected a few things, most of which were false positives. I'm still being redirected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8.1 Pro x64
Ran by Adam on 11/01/2015 at 15:13:52.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Adam\appdata\local\{1d6ffef8-df90-6e1f-2aac-58de09e7480e}



~~~ FireFox

Successfully deleted the following from C:\Users\Adam\AppData\Roaming\mozilla\firefox\profiles\vl04vh17.default\prefs.js

user_pref("browser.startup.homepage", "hxxps://mysearch.avg.com?cid={4734E79C-0A86-4A68-8DA8-FD050000C56A}&mid=6b237116d72947d2a1eba59d73f66a58-96c9fedd871b690d0679690db280902



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/01/2015 at 15:17:30.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

ust4ever

Honorable
Jun 24, 2013
18
0
10,570
4
Here's the Adwcleaner results:
# AdwCleaner v4.107 - Report created 12/01/2015 at 18:20:20
# Updated 07/01/2015 by Xplode
# Database : 2015-01-11.2 [Live]
# Operating System : Windows 8.1 Pro (64 bits)
# Username : Adam - THEBEAST
# Running from : C:\Users\Adam\Downloads\adwcleaner_4.107.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : iSafeKrnlMon

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Adam\AppData\Local\AVG SafeGuard toolbar
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\fahmaaghhglfmonjliepjlchgpgfmobi
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljngnafhejmefmijjoedbclkadhacebd
Folder Deleted : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
File Deleted : C:\WINDOWS\System32\log\iSafeKrnlCall.log

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17239


-\\ Mozilla Firefox v31.0 (x86 en-US)


-\\ Google Chrome v39.0.2171.95


-\\ Chromium v


-\\ Opera v26.0.1656.60


*************************

AdwCleaner[R0].txt - [9039 octets] - [11/01/2015 15:05:37]
AdwCleaner[R1].txt - [2176 octets] - [12/01/2015 18:18:17]
AdwCleaner[S0].txt - [14086 octets] - [11/01/2015 15:06:40]
AdwCleaner[S1].txt - [2125 octets] - [12/01/2015 18:20:20]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2185 octets] ##########


Problem persists.
 

geekbstrd

Estimable
Jan 17, 2015
1
0
4,510
0




Adam, I'm fighting the same issue. I started a thread on Bleeping Computer, found here http://www.bleepingcomputer.com/forums/t/563318/infected-browser-redirects-to-find-all-you-wantcom/#entry3596884 but no solution. I have run combofix, malwarebytes, rkill, reset browsers, checked hosts file, uninstalled and reinstalled chrome, among other things. Still I continue to have the issue. If I find something I'll post back.
 

mrdog

Estimable
Jan 20, 2015
1
0
4,510
0
I have the same redirecting bs, I went as far as changing my router DNS addresses. I thought I had some luck stopping it by disabling the windows search service, then the GF fired up firefox this weekend and it reappeared, Fxxx!

The webroot community is not aware of this virus and has no solution either. I'm still working on it, but the beer is running out.
 

TmacRex

Estimable
Mar 12, 2015
1
0
4,510
0
I believe I have found a solution. After trying all suggestions on MANY forums, using several different malware removers, I ended up getting rid of it by using MSCONFIG to narrow it down to the offending service. I believe it infected or impersonated a legitmate service (in my case, there were 5 services by N-Able Technologies and also one called Sudowin by l o s t c r e a t i o n s). Not sure which of these was it, but after disabling these six services, my browsers are behaving normally again. Hope that helps.
 

spat55

Honorable
Jun 4, 2012
52
0
10,590
2
Why not just do a reinstall of windows? It will be quicker than trying to find the issue and if you have backups of your data before the malware you should be good to go.
 

ASK THE COMMUNITY