Avast WEBforum

Other => Viruses and worms => Topic started by: ahmunra79 on November 21, 2019, 12:28:08 PM

Title: Please help "dinoraptzor.org"
Post by: ahmunra79 on November 21, 2019, 12:28:08 PM

Hi,

i have a problem on my computer. Every time i turn it on a pop up website with tons of adds appears (dinoraptzor.org) and i can't get rid of him. When i unistall the browser i'm on it appears on the other and so on so on, it's quit annoying. I use avast and search for it but it says that my pc is clean. Does anyone had this problem? How can i erase it from my pc? Please help.
Thx

Title: Re: Please help "dinoraptzor.org"
Post by: Pondus on November 21, 2019, 12:39:51 PM

Install and run:

Malwarebytes AdwCleaner  >>  https://www.malwarebytes.com/adwcleaner/

also recomended Malwarebytes Antimalware, install and run free version  >>  https://www.malwarebytes.com/

Title: Re: Please help "dinoraptzor.org"
Post by: Pondus on November 21, 2019, 12:42:30 PM

If you still have problems after doing the above then follow instructions in step #2 here and attach the two diagnostig logs from FRST  >>  https://forum.avast.com/index.php?topic=194892.0

Title: Re: Please help "dinoraptzor.org"
Post by: ahmunra79 on November 21, 2019, 01:00:31 PM

Hello,

i tried the first option and din't work, sitll appears when i start my computer.
I follow the steps and here are the results.

Title: Re: Please help "dinoraptzor.org"
Post by: Pondus on November 21, 2019, 01:11:47 PM

Malware expert @Sass Drake is notified and will check logs when he is online, it may take hours before he is online

Title: Re: Please help "dinoraptzor.org"
Post by: Sass Drake on November 21, 2019, 02:09:07 PM

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

HKU\S-1-5-21-1381026806-2505369906-469577330-1001\...\Run: [Adriano] => explorer.exe hxxp://dinoraptzor.org <==== ATTENTION
Task: {9A6139E3-7399-4DFD-A5AD-CC4513EB7A43} - System32\Tasks\Adriano => cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Adriano /t REG_SZ /d "explorer.exe hxxp://dinoraptzor.org" <==== ATTENTION
Task: {B2B1C095-4E96-49A2-A122-447AFD959F31} - System32\Tasks\Microsoft\Windows\Google\GoogleUpdateTaskMachineUP => C:\Windows\SysWOW64\Microsoft\Protect\S-1-38-51\RB_1.3.91.71.exe <==== ATTENTION
VirusTotal: C:\Windows\SysWOW64\Microsoft\Protect\S-1-38-51\RB_1.3.91.71.exe;
CHR HKLM-x32\...\Chrome\Extension: [nladljmabboanhihfkjacnnkgjhnokhj]
C:\Windows\SysWOW64\Microsoft\Protect\S-1-38-51\RB_1.3.91.71.exe

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Title: Re: Please help "dinoraptzor.org"
Post by: polonus on November 21, 2019, 06:50:49 PM

Hi ahmunra79,

This site has been blacklisted -dinoraptzor.org

The infection and cleansing by Sass Drake has proven it is best to block and shun this site.
Threat that this Dutch/French website holds, is Threat Name:Web Attack:
Fake TechSupport Website
Location:htxps://dinoraptzor.org  &  hoster is French ISP online SAS. (Dutch ISP = online dot nl).

See all vulnerabilities for the hosted IP: https://www.shodan.io/host/163.172.85.109
10 red out of 10 Netcraft Risk Grade: https://toolbar.netcraft.com/site_report?url=163-172-85-109.rev.poneytelecom.eu
Consider also: https://securitytrails.com/list/ns/nsa.online.net

This for the website and webserver part of this threat,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Please help "dinoraptzor.org"
Post by: ahmunra79 on November 21, 2019, 10:40:54 PM

Quote from: Sass Drake on November 21, 2019, 02:09:07 PM

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

HKU\S-1-5-21-1381026806-2505369906-469577330-1001\...\Run: [Adriano] => explorer.exe hxxp://dinoraptzor.org <==== ATTENTION
Task: {9A6139E3-7399-4DFD-A5AD-CC4513EB7A43} - System32\Tasks\Adriano => cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Adriano /t REG_SZ /d "explorer.exe hxxp://dinoraptzor.org" <==== ATTENTION
Task: {B2B1C095-4E96-49A2-A122-447AFD959F31} - System32\Tasks\Microsoft\Windows\Google\GoogleUpdateTaskMachineUP => C:\Windows\SysWOW64\Microsoft\Protect\S-1-38-51\RB_1.3.91.71.exe <==== ATTENTION
VirusTotal: C:\Windows\SysWOW64\Microsoft\Protect\S-1-38-51\RB_1.3.91.71.exe;
CHR HKLM-x32\...\Chrome\Extension: [nladljmabboanhihfkjacnnkgjhnokhj]
C:\Windows\SysWOW64\Microsoft\Protect\S-1-38-51\RB_1.3.91.71.exe

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Done what you said, here's the file

Title: Re: Please help "dinoraptzor.org"
Post by: Sass Drake on November 22, 2019, 01:56:22 AM

What is system status now?

Title: Re: Please help "dinoraptzor.org"
Post by: ahmunra79 on November 23, 2019, 01:18:50 PM

hi,
Everything looks normal now.
Thank you for all the help u give. ;) ;)