I am redirected to asnews.com.sg

[Flash]

if all else fails u can manually go through ur program files folder and also the app data folder .. and look for folders with some unusual names. this method has helped me a couple of times .

^^ That's what I do, after I find the culprit program through the list of running processes. Worked for me the last time my pc got infected with such redirecting malware.

Why not use Revo uninstaller, and use the Advanced mode?

*zapp5.staticworld.net/downloads/graphics/screenshots/66703f.jpg

 

[nac]

Uninstalled and reinstalled firefox. Including left over files and folders and profiles and everything.
After uninstalling, I googled "how to clean traces and leftovers of mozilla" using IE and when I was opening one of the search result (askvg.com), I was redirected to "asnews". So it's not just mozilla, but also the other browser IE. Thought I could uninstall IE too, but seems like I can't.
As of now, it hasn't happened. I am using it from morning.

 

[amjath]

Uninstalled and reinstalled firefox. Including left over files and folders and profiles and everything.
After uninstalling, I googled "how to clean traces and leftovers of mozilla" using IE and when I was opening one of the search result (askvg.com), I was redirected to "asnews". So it's not just mozilla, but also the other browser IE. Thought I could uninstall IE too, but seems like I can't.
As of now, it hasn't happened. I am using it from morning.

Change default search engine in IE. And the tab [webpage] when opening the IE for first time

 

[Deleted member 118788]

Uninstalled and reinstalled firefox. Including left over files and folders and profiles and everything.
After uninstalling, I googled "how to clean traces and leftovers of mozilla" using IE and when I was opening one of the search result (askvg.com), I was redirected to "asnews". So it's not just mozilla, but also the other browser IE. Thought I could uninstall IE too, but seems like I can't.
As of now, it hasn't happened. I am using it from morning.

Why don't you run AdwCleaner once?

 

[nac]

Why don't you run AdwCleaner once?

I am just going one by one, and see the it works. I will sure try it, if it happens again.
Its been more than 24hrs since the last event.

- - - Updated - - -

Change default search engine in IE. And the tab [webpage] when opening the IE for first time

Yeah, done. Default was BING, now changed to GOOGLE.

Why don't you run AdwCleaner once?

After about 2 days, it happened again. This time, I was watching a movie trailer in youtube when it happened.
Ran adwcleaner_5.015. It has cleared few things. I didn't uncheck anything, so it has removed everything it assumed as "junk".

- - - Updated - - -

Again it happened after running adwcleaner while watching youtube videos. Now I have ran junkware tool and hitman pro. I think I have tried all the options suggested. Now I am waiting to see if it happens again.
God, why this is so complex to find the issue?

- - - Updated - - -

It's still happening. I saw this address before it landing on "asnews", I didn't have enough time to notice the whole address before it redirects to asnews. Hovering the cursor around the page, it shows this address ad.adschemist.com/ex
GUYS DON'T PUNCH THIS ADDRESS AND CHECK. I DON'T KNOW IF IT'S A VIRUS OR NOT.
If any of you guys are facing/faced this problem, please let me know the solution. I am tired of this...

- - - Updated - - -

Few days ago (likely weeks ago), I saw this icon when I visit thinkdigit forum.

Spoiler

*i102.photobucket.com/albums/m108/tkphotos1/Bug%204_zps7st0gf27.png

To know what it is, I clicked and it said askmebazzar (share location or something) before I realize what it is, that icon disappeared. I tried to find it but couldn't. I guess I wrongly clicked share my location or something. It strikes me now because I notice one of the asnews link is askmebazzar. I have reset my browser the same day.

Following are the three links I see in that asnews page. If you guys know any way to find solution with this information, please let me know.

Spoiler

*i102.photobucket.com/albums/m108/tkphotos1/Bug%201_zpsdht9v9wd.png

*i102.photobucket.com/albums/m108/tkphotos1/Bug%202_zpsq27vog2l.png

*i102.photobucket.com/albums/m108/tkphotos1/Bug%203_zps6oen9sk2.png

 

[amjath]

Install this ad block addon and eport back.

*addons.mozilla.org/en-US/firefox/addon/adblock-plus/

^ thats for mozilla

 

[it_waaznt_me]

Can't believe I get to say this again .. Can you post your HijackThis logfile here for analysis?

Also, I believe you should check Scheduled Tasks if the problem seems to be persisting. Some "cracks" will install a scheduled task to regularly poison your dns or inject their code and this is usually overlooked while troubleshooting.

 

[Deleted member 118788]

Post Hijack This Log first then.

 

[nac]

Install this ad block addon and eport back.
*addons.mozilla.org/en-US/firefox/addon/adblock-plus/
^ thats for mozilla

Done. But how this is gonna help me? Because, it also happened in IE too...

Can't believe I get to say this again .. Can you post your HijackThis logfile here for analysis?

Also, I believe you should check Scheduled Tasks if the problem seems to be persisting. Some "cracks" will install a scheduled task to regularly poison your dns or inject their code and this is usually overlooked while troubleshooting.

Post Hijack This Log first then.

Ran and checked the log online. Seems good to me...

There is no event since Friday night and I haven't used PC in the weekend. Waiting to see if occurs again or not.

 

[Deleted member 118788]

Done. But how this is gonna help me? Because, it also happened in IE too...




Ran and checked the log online. Seems good to me...

There is no event since Friday night and I haven't used PC in the weekend. Waiting to see if occurs again or not.

If you are so smart to check it then why did you open this thread at first place? Please also tell me how the problem will solve automatically if you have not taken any action since it's last occurrence.

 

[Flash]

If you are so smart to check it then why did you open this thread at first place? Please also tell me how the problem will solve automatically if you have not taken any action since it's last occurrence.

*media.giphy.com/media/F7yLXA5fJ5sLC/giphy.gif

 

[nac]

If you are so smart to check it then why did you open this thread at first place? Please also tell me how the problem will solve automatically if you have not taken any action since it's last occurrence.

I didn't say that.
Did you find it offensive?
Hijackthis site have an option to submit the file for analyzing. So I did and pretty much everything was green, the ones in orange are programs I know. That's how I came to conclusion "everything seems fine". I will post the log file in an hour or so.

...

 

[Deleted member 118788]

I didn't say that.
Did you find it offensive?
Hijackthis site have an option to submit the file for analyzing. So I did and pretty much everything was green, the ones in orange are programs I know. That's how I came to conclusion "everything seems fine". I will post the log file in an hour or so.

I didn't find it offensive but whatever suggestions have been provided here you doesn't seems to be following at all and doing what comes to your mind. So, I had asked the reason for opening the thread. You didn't replied to my second question yet.

 

[nac]

I didn't find it offensive but whatever suggestions have been provided here you doesn't seems to be following at all and doing what comes to your mind. So, I had asked the reason for opening the thread. You didn't replied to my second question yet.

Come on man, I have tried all the solution suggested so far (just posting the log file is pending). I have left a comment before leaving for the weekend saying I have tried everything.
That would be wonderful if it gets fixed automatically. But I have tried, and it was still there as of Friday night.

 

[Deleted member 118788]

Come on man, I have tried all the solution suggested so far (just posting the log file is pending). I have left a comment before leaving for the weekend saying I have tried everything.
That would be wonderful if it gets fixed automatically. But I have tried, and it was still there as of Friday night.

Can you provide me team viewer access to your PC? I have cleaned a hell lot of malware infections in my life and will love to clean yours as well.

 

[nac]

Here is the log...

Spoiler

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 4:14:17 PM, on 02-Nov-2015
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.17840)

FIREFOX: 41.0.2 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\HOM\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:InPrivate
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN - Outlook, Skype, Hotmail, Messenger
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN - Outlook, Skype, Hotmail, Messenger
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call settings - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: **.hola.org
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
O18 - Protocol: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Foxit Cloud Safe Update Service (FoxitCloudUpdateService) - Foxit Software Inc. - C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TeamViewer 10 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
O23 - Service: UI Assistant Service - Unknown owner - C:\Program Files (x86)\airtel 3G\AssistantServices.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7649 bytes

 

[it_waaznt_me]

You can maybe disable the Foxit cloud service from start > run > services.msc. Rest looks like your antivirus has taken care of. Also, did you check the Task Scheduler ?

 

[nac]

You can maybe disable the Foxit cloud service from start > run > services.msc. Rest looks like your antivirus has taken care of. Also, did you check the Task Scheduler ?

Disabled Foxit cloud update service.
Yeah, I checked that. Those task names are new, I couldn't figure out whether a particular task is of windows or something else just by looking at the name. There is not much information about those tasks, like file location and all. I tried googled to lookup few things, after seeing the long list I stopped. In the last 24 hours the issue didn't pop up. The last known even is on Friday night, and I couldn't sort by date/time. So I am thinking of checking this if the issue pops up. Or do you guys know any way to export all the tasks in an excel or txt file and look up if it's a good one or not.

And one more thing. In that log file, there something called Hola which I think I tried it around BGT finals. But I couldn't get it to work. So I uninstalled. I don't know why it's still in my PC. Do you guys know how to find and remove it from trusted site?

 

[Flash]

And one more thing. In that log file, there something called Hola which I think I tried it around BGT finals. But I couldn't get it to work. So I uninstalled. I don't know why it's still in my PC. Do you guys know how to find and remove it from trusted site?

Hola is a free VPN service.

 

[dashing.sujay]

Manage scheduled tasks through CCleaner.

Also, check my adware/malware removal guide (in sig), you might get some help from there. Some BHO is messed up.