Browser Redirecting to unwanted websites

[REDACTED]

Hi
My machine has been infected by some adware. It redirects to other websites after a link is opened. Initially it was redirecting through tradexchange.com but it has gradually become more sophisticated and now redirects in the same tab itself. If i try to connect any mobile device through my PC browsing is hijacked there too and a prompt opens in mobile browser directing to install some app from play store. It is also modifying modem setting because modem ui does not open unless it is reset again.
Please find the attachment and Thanks in Advance

[essexboy]

Did you install this :  Connectify Hotspot

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
2016-03-31 22:33 - 2016-03-31 22:33 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetectionC650EF95-39A1-4C3E-BF2E-AA9365241BF0
2016-03-31 21:42 - 2016-03-31 21:42 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection1735D568-EC85-4110-B165-9F2371461C42
2016-03-31 20:42 - 2016-03-31 20:42 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection24391CB3-440A-4462-94A9-405D58C63533
2016-03-31 20:20 - 2016-03-31 20:20 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection32F32607-EA7F-4121-96A8-5770EAF9B83A
2016-03-31 19:50 - 2016-03-31 19:50 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetectionECF87DE6-242F-47C1-9E1C-77D7E6E5930B
2016-03-31 19:34 - 2016-03-31 19:34 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection3B1C3EA6-914A-45DD-A2E3-2D6047A034EA
2016-04-08 23:33 - 2016-04-08 23:33 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetectionF694676F-70F3-432F-B0DF-AF010CFEACCC
2016-03-30 12:07 - 2016-03-30 12:07 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection5269F249-216A-45C8-BD56-204B561CF595
2016-03-26 10:53 - 2016-03-26 10:53 - 00000000 ____D C:\Users\satya\AppData\Local\TempTaskUpdateDetection48972D24-4C8B-4AA1-B499-18ED2ADE946C
CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-471028188-2882416045-2821947869-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\satya\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[REDACTED]

Thanks for helping.
I installed connectify a fewdays back while the adware has been there for nearly two months.
After FRST fix, redirection was there and adwcleaner did not find any issue.

[essexboy]

Which browser are the redirects evident in ?

[REDACTED]

mozila and chrome. i have not checked ie in the mean time

[essexboy]

Do any other computers that use your router experience the same problem ?

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

As i said, browsers of mobile devices connected through pc via netsh command or connectify getting hijacked persistently. My modem is a single user one where there only one pc can be connected through LAN port. It has got no wifi.
I have reason to believe that adware was not there when i connected through android hotspot. But i am not sure as i used internet through android hotspot for limited period of time

[REDACTED]

Here is a redirection snapshot i took just now.
After i installed malwarebyte, it is showing notification for malicious websites but not able to block it.

[essexboy]

Could you run chrome in incognito mode and let me know if the redirects still occur

[REDACTED]

ya redirection does occur in incognito mode too. in fact it has occurred today itself.

[essexboy]

OK lets look deeper

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[REDACTED]

Ran the requisite tool. computer seems to be running normal. Have to wait for sometime to confirm the same as redirection does not occur on every click.

[REDACTED]

it's still there.

[essexboy]

Could you update FRST please and run a fresh scan, a new version has been released

[REDACTED]

PFA the FRST log