Think I have a virus

[REDACTED]

Hi guys, I've got an issue with a virus:

At the beginning of the month I updated MBAM and a trial of the premium edition. During that time with the premium edition the realtime protection blocked a few things whilst I was using Chrome. I didn't think anything of it at the time, because I noticed the word 'bywinners' in the domain name and assumed it had something to do with the online betting websites I sometimes play on. Anyway, since the premium trial has ended I have since noticed on a couple of occasions tabs pop up in Chrome that I didn't click on. The first couple of times this occured I simply dismissed it as me having accidently clicked on an online ad, but today I came upon a Chrome tab with the domain 'hXXp://babittedwinner.men' with a Microsoft-style tab icon and a recorded voice telling me I had won an Iphone (or other such thing). Obviously, I was rather taken aback and suspicious. I've ran MBAM, Avast and SuperAntiSpyware over the past few weeks and they've picked up no malware threats. Which is why I'm seeking your guidance. Please help!

Please find attached an MBAM reports, FRST logs, and also copies of the MBAM premium edition realtime logs from when they blocked these websites. I've included them below. For some reason MBAM at the time picked up multiple events in the same day (and time!) and I've included each one, hence there seems to be duplicates of the same event. Only thing I noticed is that the domain on each day seems to change to something else!

Should be noted, I also use Firefox, and I seem to have had no issues with that.

Thanks!

[polonus]

Hi martinov,

Break that live link - htxp://babittedwinner.men/ It is in Dr.Web malicious sites list!
And also avast flags it.

polonus

[Eddy]

- Download the attached fixlist.txt and place it in the same folder as where you have Farbar
- Start Farbar and click on "fix"
- Attach the created Fixlog.txt to your next message here as well as two new Farbar log files (frst.txt and Addition.txt)

[REDACTED]

Hi here's the logs you requested.

Just a couple of thoughts:

1) Looking at the Wireless IP config section of the fixlog, it mentions neither the local area network or the wireless network could be fixed as they were disconnected. I did switch off my internet when the scan was on (since FRST closed my web browsers whilst it was running the fix I saw no point in leaving it on). Did I mess up there? Should I have left my internet connected?

2) I have used a couple of USB sticks in the past week. Could I have passed malware onto those?

Thanks for your help.

[Eddy]

Looking a lot better already.
Now have some patience and wait for one of the malware removers to guide you further.

[dbrisendine]

How is your system running now?  Your DNS was reset so we need to know if you still receive the redirects / ads now.


In the meantime, please start CryptoPrevent and have the program reapply the default settings / protection.

[REDACTED]

My system seems to be running as normal, but these extra Chrome tabs only popped up every couple of days, so I guess I would have to keep things running for a week before I was confident nothing more is amiss, so I'll wait 7 days before reporting back.

Where is a good place to d/l CryptoPrevent, and are there any specific settings that I need to apply to it, or it just a case of hitting the default settings/protection button once I've started it up?

Thanks again.

[Pondus]

Where is a good place to d/l CryptoPrevent, and are there any specific settings that I need to apply to it, or it just a case of hitting the default settings/protection button once I've started it up?

What about CryptoPrevent website / userguide / FAQ ?

[REDACTED]

I'm unsure what the CryptoPrevent website proper is, that's why I asked. And I asked if any extra settings need be applied because I didn't want to go in blind and mess things up further.

It was surely safer to ask to be sure?

[REDACTED]

I d/l CryptoPrevent from foolishit, I assume this was the correct place to d/l it (I prefer to ask incase it was fake). On startup, it seemed to run a scan without asking and reset my computer on completion. I assume this is normal? On resumption, I started up CryptoPrevent again and pressed the 'Applied Protection Plan' button using the default setting.

What should I do now?

[dbrisendine]

We just need you monitor your system and tell us if you still get the redirects / ads from the winners.men websites.


As to CryptoPrevent, the logs showed you had this installed on your system already.  I just wanted you to refresh the protection it offered as the Fixlist script you ran removed all the settings CryptoPrevent had set previously.

[REDACTED]

Hi, just got another tab appear in Chrome for a bmwork or something like that. Again, the tab had a Microsoft style icon and again a voice congratulated my for winning something. 

What can I do?

edit: latest MBAM and FRST scan files attached.

[dbrisendine]

I scanned your logs and see no malicious software anywhere.  You may possibly need to add an ad blocker to Chrome.

[REDACTED]

I took your advice, d/l Poper Blocker for Chrome, but within hours I got the same tab problem come up again. So remembering that I used Adwcleaner many, many years ago for a previous problem I d/l that and ran a scan. It seemed to pick up something odd (I included the log below) and I deleted it.

I scanned with Adwcleaner a further couple of times over last week and was told my system was clean. I've had no more tabs with those "congratulations you've won xxx" come up, so I don't know if that has fixed the problem.

.. but ...

A couple of days ago, whilst I was about to make a last minute bid on Ebay my Ebay page was redirected! I think Avast stopped anything from happening, but checking Chrome's history, it seems I was diverted to:

hXXps://prx2tst.global.ssl.fastly.net/in/091784lmrswdvthmnoxldby/?ads=mlzw8i3g46&sspid=31&keyword=&callback=091789hbavgqjykskmxwzpn&type=frame&p=091784lmrswdvthmnoxldby&sitedomain=https%3A%2F%2Ftpc.googlesyndication.com%2Fsafeframe%2F1-0-13%2Fhtml%2Fcontainer.html&rand=&click=https%3A%2F%2Fads.simpli.fi%2Fctr%3Fsifi%3D6514%2C713431%2C5590058%2C32899840222905%2C2%2C69731%2C0%2C0%2C0%2C65%2C31%2Cv%2C2.13281%2CAAABX3io8bMbT0tY19wrMy_LhS8WCpUHmGRc-w%2C0%2C0%2C0%2C12%2CBC80FD9FACCFF859120E0333024D64AF%2C0%2C0%2C0%2C6%2C400%2C1%2C0%2C0%2C604%2C815%2C701%2Cnlbid10%3A9004-1509557858621-198754964%2C0%2C0%2C90849%2C3%2C1%2C20%2C3025514%2C%2C0%2C0.25%2C0%2C0%2C1546202337%2C0%2C0%2C0%2C1%2C0%2C0%2C2%26tid%3D0d32f92c-020b-4526-b6c8-e3cbaf2c065c%26turl%3D&pubid=&siteid=https%253A%252F%252Ftpc.googlesyndication.com%252Fsafeframe%252F1-0-13%252Fhtml%252Fcontainer.html&location=eurads.simpli.fi&referer=eurads.simpli.fi&dt1=0&dt2=0&dt4=2&dt5=0&dt6=0&dt7=0&dt8=18&dt9=NA&dt10=no%3A0%3Bok%3A0%3Berr%3A35%7Cacademia.edu%7Cairbnb%7Camazon.com%7Cbattle.net%7Cbitbucket%7Cblogger%7Ccarbonmade%7Cdisqus%7Cdropbox%7Cedx%7Cexpedia%7Cfacebook%7Cflickr%7Cfoursquare%7Cgithub%7Cgmail%7Cgoogle_plus%7Chackernews%7Cindeed%7Ckhan_academy%7Cmedium%7Cmeetup%7Cpaypal%7Cpinterest%7Creddit%7Cskype%7Cspotify%7Csquare%7Cstack%7Csteam%7Ctumblr%7Ctwitter%7Cvk%7Cyoutube%7C500px


Yesterday I ran an Avast and Mbam scan, they picked up nothing. So also tried Chrome Cleanup Tool and Hitman Pro (which didn't pick up anything but some cookies, which I promptly deleted). Last night I was on Ebay again, and my page was diverted to this:

hXXps://prx2tst.global.ssl.fastly.net/in/091784lmrswdvthmnoxldby/?ads=mlzw8i3g46&sspid=1&keyword=&callback=091781kjawegxymgmdutrbi&type=frame&p=091784lmrswdvthmnoxldby&sitedomain=https%3A%2F%2Ftpc.googlesyndication.com%2Fsafeframe%2F1-0-13%2Fhtml%2Fcontainer.html&rand=&click=https%3A%2F%2Fads.simpli.fi%2Fctr%3Fsifi%3D6515%2C713431%2C5590058%2C180305727318126%2C2%2C69731%2C0%2C0%2C0%2C218%2C1%2Cv%2C3.60732%2C0.273685703%2C0%2C0%2C0%2C18%2CBC80FD9FCC35FA590F0E7A32025D4BC4%2C0%2C0%2C0%2C6%2C400%2C1%2C0%2C0%2C604%2C815%2C701%2Cnlbid19%3A9011-1509665874623-117157944%2C1%2C0%2C224536%2C10%2C3%2C20%2C3029874%2C%2C0%2C0.35%2C0%2C0%2C1546151680%2C0%2C0%2C0%2C1%2C0%2C0%2C2%26tid%3DA349C65B-ABD7-4FDA-8062-EC492AF57327%26turl%3D&pubid=&siteid=https%253A%252F%252Ftpc.googlesyndication.com%252Fsafeframe%252F1-0-13%252Fhtml%252Fcontainer.html&location=eurads.simpli.fi&referer=eurads.simpli.fi&dt1=0&dt2=0&dt4=2&dt5=0&dt6=0&dt7=0&dt8=16&dt9=NA&dt10=no%3A1%7Cfacebook%3Bok%3A0%3Berr%3A34%7Cacademia.edu%7Cairbnb%7Camazon.com%7Cbattle.net%7Cbitbucket%7Cblogger%7Ccarbonmade%7Cdisqus%7Cdropbox%7Cedx%7Cexpedia%7Cflickr%7Cfoursquare%7Cgithub%7Cgmail%7Cgoogle_plus%7Chackernews%7Cindeed%7Ckhan_academy%7Cmedium%7Cmeetup%7Cpaypal%7Cpinterest%7Creddit%7Cskype%7Cspotify%7Csquare%7Cstack%7Csteam%7Ctumblr%7Ctwitter%7Cvk%7Cyoutube%7C500px

Again, Avast blocked it. I've taken a screen grab of how it looked on my desktop. Any suggestions? And is it related to the previous problem you've been helping me with?

I included MBAM and FRST scans of my computer as of today.

Thanks!

[REDACTED]

And screen grabs of the Avast pop up when it blocked the above