Jump to content

emsisoft not quarantining redirect virus/malware

Recommended Posts

Logs.db3 is a database file. The scan log can be access from the Logs interface in EEK.

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3818101460-3092771793-1559115166-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKLM-x32 -> _tmp URL = 
2015-09-13 12:33 - 2015-09-13 12:33 - 00003010 _____ C:\Windows\System32\Tasks\{EA8B2722-2E03-434C-A519-F77A635A311B}
2014-10-15 07:54 - 2014-10-15 07:54 - 0000004 _____ () C:\Users\Bedroom\AppData\Roaming\appdataFr2.bin
2013-12-02 20:27 - 2013-12-02 20:27 - 0003584 _____ () C:\Users\Bedroom\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Changing tools.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan
Link to post
Share on other sites

hello and thank you for stepping in to help!


i am unable to open the .json file, as it sends me to the internet to find a program to use.  i wouldn't know which program to use.  i can rename to a .txt, if you like.  i do not know if that will make a difference in the information.  


please advise, and thank you again!

Link to post
Share on other sites

i tried a few different things to get the file into this page as a .json...but nothing worked...so i renamed it from .json to .txt - hoping it would still be useable - and attached it here.  if it's not useable...i will follow your direction to get the file to you as a .json.


thank you, again, for your help!




Link to post
Share on other sites


That works as well. :) Both your Roguekiller and FRST logs look clean. Could you please tell me exactly what kind of redirects you are getting and in what browser(s)? 


Also, please rerun FRST, check the box for Additions.txt and run a scan, post me additions.txt (no need for frst.txt) so I can have a look at some installed programs that sometimes could cause MBAM alerts, which you indicated are still occurring. 


Besides the redirects, do you have any other problem with your computer?

Link to post
Share on other sites

i have been using chrome and have not experienced redirects in any other browser.  i am using opera to do this troubleshooting.


the redirects vary between two different outcomes.  in one redirect, malwarebytes jumps in and stops it.  in the other redirect i kill it as soon as i see it - and i am watching for it so i'm able to catch them quickly and kill them.  it is much better than it was...i used to have to reboot to kill a redirected page.


question:  when i ran roguekiller, i disconnected all usb and external drives.  however, i have an external harddrive that i backup once each week.  could something be lurking there and causing the redirects?


other than the redirects, my computer is running fine, though it does seem slower - like when i try to watch a video i get the circle sometimes.


attached is the addition.txt document i just ran...


thank you so much for all your help!



i just spent some time trying to cause a redirect in opera and it never happened...fyi...


Link to post
Share on other sites

Thank you for the additional information! Could you post part of the MBAM protection log showing what it blocks?  This may be helpful in determining where this is coming from.


There is no need to worry about the external drive, I see no evidence of that causing any interference, the problem seems limited to Chrome only. Have you tried cleaning the Chrome browser cache?

Link to post
Share on other sites

And what about this? :)



Have you tried cleaning the Chrome browser cache?

If not, please do this by clicking the three lines icon in the top right corner and selecting Settings. In the settings window, click History in the top left corner and click the Clear Browsing Data button. Leave the options checked as they are (if you want you can check "browsing history" too) and click the Clear Browsing Data button. When done, restart your browser and let me know if you still notice any redirects occurring.

Link to post
Share on other sites

wow...i did not know about that button!  thank you so much for the detailed instructions...i cleared it back to the beginning of time and i havne't yet experienced a redirect since the reboot.  can we leave this thread open until tomrrow...just to be sure?  and i will post in the morning how it's all doing.


thank you so much...sometimes it is the little things!

Link to post
Share on other sites

well dangit!  just got another redirect...malwarebytes did not catch it...i'm going to have to reboot to kill it...i don't know what might help you...but this is the url that came up:




there is a woman's voice telling me i am in danger and have a virus installed on my computer...it's strongly advised that i call the number provided as soon as possible and i will be guided for the removal of the virus on my computer...

Link to post
Share on other sites

Could you look in your Chrome history what the site was that you accessed directly before this one, that may help us finding out where the redirect comes from.


BTW, instead of a reboot, you can just press ctrl-alt-del, click Task Manager and kill all Chrome processes, that should work too.


I can confirm that this is 100% an online scam, there is nothing on your computer installed when you access this URL, you just get a scary message that "hopefully" tricks you into calling them and purchasing an expensive and useless cleaning service.

Link to post
Share on other sites

i was on zerohedge.com when i clicked and that warning came up...


i have to reboot because when i relaunch after ctrl-alt-del, chrome just relaunches the same pages and that includes the stupid page warning...if i reboot, then just one page launches asking me if i want to restore and i say no and start over.  the page warning will not let me x it off or kill it in any way.


you believe that the redirect is sourced from zerohedge.com?  and not from my computer?

Link to post
Share on other sites

Please open Chrome Settings and look under "on startup". If "continue where I left off" is ticked, change this to whatever option you prefer to avoid having the fake alarm page reload automatically.


Can you browse zerohedge.com from another browser as well, does this trigger the scam page as well?

Link to post
Share on other sites

i've been using firefox since yesterday afternoon and not a single redirect!  chrome must be the culprit?  interesting...


if you want to leave this thread open for another day, i'll report back again, tomorrow and let you know for sure.


you guys are a wonderful resource...thank you so much for being there!

Link to post
Share on other sites

You're welcome. :)


If you wish to keep using chrome, just let me know and we can look more in detail into this issue. You could try to make a new chrome profile and see if that gets redirected as well. If not, you can just export your bookmarks/favorites and import them in the new profile and delete the old one.

Link to post
Share on other sites

First of all, could you make the test profile as also indicated in my previous post? To do this, open Settings and under People click Add Person. You can just import bookmarks from your current profile. Then open chorme using the new profile and see if you still have the same issue. 

Link to post
Share on other sites

In case that takes care of the redirects, you could just make sure you've migrated all your important settings and delete the other (older) profile. In case this profile redirects as well, let me know and we'll look further into it.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...