Google chrome and firefox starting up with a virus website (fanli90)

cottonball · 21 Jan 2017

Also, let's do the following:

Use the Zemana AntiMalware Download

Double-click on the file Zemana.AntiMalware.Setup.exe to install.

When the program starts you are presented with a Setup screen, click: Next
Follow the prompts to install.

Once Zemana AntiMalware starts, click: Scan

When Zemana AntiMalware is finished it displays a list of all the malware found.
Click on Next to remove the malicious files from your computer.

A reboot may be required to remove malware.

Click the Graph icon (far upper riht), highlight the applicable log file, and then click: Open Report

Please post the notepad text file for review.

simrick · 22 Jan 2017

rezarawat said:

Thanks for your advice 'prikker' but it seems those solutions still do not work. I'm gonna have to try spy hunter but the only problem is you have to but the program so I'm not too sure now.

Please do NOT, under any circumstances, install SpyHunter on your system. You're just asking for trouble by doing that.

-Run TDSSKiller - in the options, select all boxes from the bottom up; it will reboot to scan
-Open Ccleaner free, clear all cache/history in all browsers - even ones you don't use.
-Flush your DNS - at admin command prompt: ipconfig /flushdns
-Reset all browsers on the machine - even ones you don't use.
How to Reset Your Web Browser To Its Default Settings

Microsoft Edge - Reset to Default in Windows 10

-Run RKILL
-Run ADWCleaner
-Run JRT

All these tools are free. All should be done in this order.

rezarawat · 22 Jan 2017

hi cottonball ive done what you asked:

using comand prompt:
----------------------------------------------------------------------------------------------------------------------------------------------------------# Copyright (c) 1993-2006 Microsoft Corp.#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handle within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

rezarawat · 22 Jan 2017

cotton ball ive now used zemana and things seem fine, i will keep you posted, here is the log file:

Zemana AntiMalware 2.70.179.576 (Installed)

-------------------------------------------------------
Scan Result : Completed
Scan Date : 2017/1/22
Operating System : Windows 10 64-bit
Processor : 4X Intel(R) Core(TM) i7-3537U CPU @ 2.00GHz
BIOS Mode : UEFI
CUID : 123A7140A7F57224AE4412
Scan Type : System Scan
Duration : 15m 39s
Scanned Objects : 152958
Detected Objects : 22
Excluded Objects : 0
Read Level : Normal
Auto Upload : Enabled
Detect All Extensions : Disabled
Scan Documents : Disabled
Domain Info : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Shell Execute Hooks
Status : Scanned
Object : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnableShellExecuteHooks
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Potentially Unwanted Modification
Cleaning Action : Delete
Related Objects :
Registry Entry - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnableShellExecuteHooks = enabled

Firefox Shortcut
Status : Scanned
Object : Funny collection
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Shortcut

Firefox Shortcut
Status : Scanned
Object : Funny collection
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Shortcut

Firefox Shortcut
Status : Scanned
Object : Funny collection
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Shortcut

Chrome Shortcut
Status : Scanned
Object : Funny collection
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : --load-extension="C:\Users\user\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk"
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : Funny collection
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : --load-extension="C:\Users\user\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk"
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : --profile-directory=ChromeDefaultData
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : Funny collection
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : --load-extension="C:\Users\user\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk"
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Hosts File
Status : Scanned
Object : %systemroot%\system32\drivers\etc\hosts
MD5 : 548F3A3D304552C73969EA1A0C635626
Publisher : -
Size : 3733
Version : -
Detection : Hosts Hijack
Cleaning Action : Repair
Related Objects :
Hosts file - Too many empty lines in Hosts file
File - %systemroot%\system32\drivers\etc\hosts

WMIMalware
Status : Scanned
Object : ASEC
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Trojan:Win32/WMIGhost
Cleaning Action : Repair
Related Objects :
Fileless Malware - WMIMalware : WMI::Root\Subscription\ASEC.mof

rvsadapter.dll
Status : Scanned
Object : %programfiles%\chivaleplecerle\rvsadapter.dll
MD5 : 91AAF5EFB7342F35DF2DC185443BE0FC
Publisher : -
Size : 179712
Version : -
Detection : Adware:Win32/BrowserHijack.Gen
Cleaning Action : Quarantine
Related Objects :
File - %programfiles%\chivaleplecerle\rvsadapter.dll
DLL - 2352 - C:\Windows\SysWOW64\svchost.exe
Registry Entry - HKLM\System\CurrentControlSet\Services\Coofele\Parameters\ServiceDll = C:\Program Files (x86)\Chivaleplecerle\rvsadapter.dll

Solution_manual_of_calculus_by_howard_anton_pdf_downloader.exe
Status : Scanned
Object : %userprofile%\downloads\programs\solution_manual_of_calculus_by_howard_anton_pdf_downloader.exe
MD5 : 73D850B7BEEE1AB7BD6619707D948D49
Publisher : MEGASTYAZHKA OOO
Size : 524496
Version : 1.0.0.6
Detection : Adware:Win32/AutoBulk.51d80e!Ep
Cleaning Action : Quarantine
Related Objects :
File - %userprofile%\downloads\programs\solution_manual_of_calculus_by_howard_anton_pdf_downloader.exe

maoha
Status : Scanned
Object : NE->c:\program files (x86)\maoha
MD5 : -
Publisher : -
Size : -
Version : -
Detection : PUA:Win32/MaohaWiFi.D!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

ucbrowser
Status : Scanned
Object : NE->c:\users\user\appdata\local\ucbrowser
MD5 : -
Publisher : -
Size : -
Version : -
Detection : PUA:Win32/UCBrowser.C!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

installationconfiguration.xml
Status : Scanned
Object : NE->c:\users\user\appdata\roaming\installationconfiguration.xml
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/Linkury.A!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

kuaizip
Status : Scanned
Object : NE->c:\users\user\appdata\roaming\kuaizip
MD5 : -
Publisher : -
Size : -
Version : -
Detection : PUA:Win32/KuaiZip.B!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

main.dat
Status : Scanned
Object : NE->c:\users\user\appdata\roaming\main.dat
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/Linkury.G!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

kuaizipdrive.sys
Status : Scanned
Object : NE->c:\windows\system32\drivers\kuaizipdrive.sys
MD5 : -
Publisher : -
Size : -
Version : -
Detection : PUA:Win32/KuaiZip.D!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

{343c5224-aa7c-46b4-bebd-b05fe24b94e4}
Status : Scanned
Object : NE->c:\windows\system32\tasks\{343c5224-aa7c-46b4-bebd-b05fe24b94e4}
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/CHR.TASKSCHD.GEN.A!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

Cleaning Result
-------------------------------------------------------
Cleaned : 22
Reported as safe : 0
Failed : 0

OldMike65 · 22 Jan 2017

rezarawat said:

Sorry Caledon ken I am abit unclear about what you are trying to say. I went into the drivers folder in system32 and couldn't find a host file. So I searched in that folder, found a file called 'host' opened it in notepad and noticed it all starts with hashtags. But I don't know what to do with this. The tools are detecting something and removing them, which was UC I will try adwcleaner again and see if it detects this. But before it didn't

You could try giving SuperAntiSpyware a shot at looking for malware on your harddrive. There is a free version.
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

rezarawat · 22 Jan 2017

Hi everyone,

Thank you.for all the help my problems seems to be solved. Zemana antimalware did the job. It deleted all the fanli.cn viruses and quarantined a few others. Now Firefox and chrome is running normal again.

prikker · 22 Jan 2017

Problem solved, I'm happy we could help you. Try to be more careful what you download and install the next time. Before installing check it first with your antivirus

cottonball · 22 Jan 2017

rezarawat,

Glad Zemana AntiMalware worked for you. It is a good resource to get rid of problems like the ones on your machine.