# I am redirected to asnews.com.sg



## nac (Oct 28, 2015)

For the last 2 weeks or so, I am getting redirected to asnews.com.sg up on loading a website. Not all the time, but it's happening. I reset my browser, ran malwarebytes, antivirus. It's still happening. I don't know if it's happening to the all the sites I visit or only few of them. As of now, I am sure it's happening with digit forum.

I don't know how serious this issue is. I really appreciate if you guys help me with some fix. I googled, but nothing seems clear.

They say remove "all files related to asnews dot com dot sg" - How do I know the files that are related to asnews?
They suggest spyhunter - which doesn't seem like a genuine tool.

Any of you guys faced this issue?


----------



## amjath (Oct 28, 2015)

It must an extension, uninstall it. Check once in add or remove program as well and uninstall. Do a restart


----------



## nac (Oct 28, 2015)

Checked plugins, extension and installed programs. Couldn't find anything suspicious wrt to this issue.

I am posting snaps, check them and see if you can find anything.


Spoiler



*i102.photobucket.com/albums/m108/tkphotos1/bug%201_zpsvkfotgit.png

*i102.photobucket.com/albums/m108/tkphotos1/bug%202_zpsk68669rh.png

Softwares installed/updated in the last one month.
*i102.photobucket.com/albums/m108/tkphotos1/bug%203_zpsunnwocob.png


----------



## amjath (Oct 28, 2015)

^ that's weird. Check other browser for addons as well


----------



## nac (Oct 28, 2015)

Checked IE, couldn't find any... The highlighted one "research" could be it? I don't know, and I don't know how to remove it.
This is of IE


Spoiler



*i102.photobucket.com/albums/m108/tkphotos1/Add-ons_zpsszeau3fr.png


----------



## Vyom (Oct 28, 2015)

Have you tried looking into Startup items to see what programs starts when you boot your PC?

Also don't sort the list of installed programs by date, since it maybe that this information is missing for some programs. Post full list of installed programs if possible. Once you check what programs are being started in startup using tools such as CCleaner and Sysinternal's Autoruns, you may also want to look at the list of running programs using program known as Sysinternal's Process Explorer. It shows list of running processes hierarchically.


----------



## Flash (Oct 28, 2015)

Try AdwCleaner and HitmanPro and do a scan. It maybe a adware which installed side-by-side when installing software/games without user awareness.


----------



## nac (Oct 28, 2015)

Vyom said:


> Have you tried looking into Startup items to see what programs starts when you boot your PC?
> 
> Also don't sort the list of installed programs by date, since it maybe that this information is missing for some programs. Post full list of installed programs if possible. Once you check what programs are being started in startup using tools such as CCleaner and Sysinternal's Autoruns, you may also want to look at the list of running programs using program known as Sysinternal's Process Explorer. It shows list of running processes hierarchically.


Only two things are enabled at startup. Java and a third party snipping tool called greenshot which I am using it for years.

I came across this video when googling


In task manager I see that dwm.exe running under different user name called DWM-23. Google says, it's normal. Can you guys confirm this?
BTW, should I use those tool CC Cleaner and Sysinternals? I used task manager to check those things.

I see no suspicious programs running under my user.

Among the four files mentioned in that video, I can find two files in the task manager. But both are system files and are in system folder not in appdata folder.


Flash said:


> Try AdwCleaner and HitmanPro and do a scan. It maybe a adware which installed side-by-side when installing software/games without user awareness.


I will check those tools and see if it fixes the issue.


----------



## amjath (Oct 28, 2015)

nac said:


> Only two things are enabled at startup. Java and a third party snipping tool called greenshot which I am using it for years.
> 
> I came across this video when googling
> 
> ...



dwm.exe is safe.


----------



## arijitsinha (Oct 28, 2015)

How Do I Remove asnews.com.sg Redirect? ( Removal Guide ) - EasyVirusKilling.com


*www.google.co.in/search?q=asnews.com.sg

Edit: OOPS sry , just now realized you already tried those steps.


----------



## nac (Oct 28, 2015)

Can internet service provider set this kinda things? I am asking because, after I logged in and open the browser (default is blank page), I typed in digit forum address and pressed enter. I was redirected, but this time it's "mail.bsnl". Now I remember it happened too (redirecting to bsnl) few times in the last few two weeks.


----------



## Flash (Oct 28, 2015)

nac said:


> Can internet service provider set this kinda things? I am asking because, after I logged in and open the browser (default is blank page), I typed in digit forum address and pressed enter. I was redirected, but this time it's "mail.bsnl". Now I remember it happened too (redirecting to bsnl) few times in the last few two weeks.


It was by BSNL. For every disconnection, it will open mail.bsnl.in first when the internet is connecting. But it has no connection with your asnews thingy. 

BSNL clears stand on redirecting broadband users to (mail.bsnl.in) promotional page


----------



## Deleted member 118788 (Oct 28, 2015)

nac said:


> Can internet service provider set this kinda things? I am asking because, after I logged in and open the browser (default is blank page), I typed in digit forum address and pressed enter. I was redirected, but this time it's "mail.bsnl". Now I remember it happened too (redirecting to bsnl) few times in the last few two weeks.



Do this and you will be fine. 

1. Download and Run AdwCleaner. AdwCleaner Download

2. Download and Run Junkware Removal Tool. Junkware Removal Tool Download

3. Download and Run MalwareBytes Anti-Malware Tool. *www.malwarebytes.org/antimalware/

Usage of these 3 tools will be enough to clean all the adware you have. If the above don't help then I will suggest to create a new profile in Firefox after deleting the old profile.


----------



## Flash (Oct 28, 2015)

@Pulse was also having the adware problem in firefox (though in your case, it's a browser hijacker). 
But he cleaned up his PC via HitmanPro. 

If nothing worked, export the bookmarks and reset the firefox.


----------



## nac (Oct 28, 2015)

Flash said:


> It was by BSNL. For every disconnection, it will open mail.bsnl.in first when the internet is connecting. But it has no connection with your asnews thingy.
> BSNL clears stand on redirecting broadband users to (mail.bsnl.in) promotional page


It wasn't the case before. It's happening for the last two weeks. So the reason I was little worried and doubted if it's because of some virus or malware or something.


Geek-With-Lens said:


> Do this and you will be fine.
> 1. Download and Run AdwCleaner. AdwCleaner Download
> 2. Download and Run Junkware Removal Tool. Junkware Removal Tool Download
> 3. Download and Run MalwareBytes Anti-Malware Tool. *www.malwarebytes.org/antimalware/
> ...


I have already rad malwarebytes. I started noting down when, where it happens. Since this thread started, it happened only once i.e. redirected to bsnl.


Flash said:


> @Pulse was also having the adware problem in firefox (though in your case, it's a browser hijacker).
> But he cleaned up his PC via HitmanPro.
> If nothing worked, export the bookmarks and reset the firefox.


Yeah, I have already reset the browser few days ago. Even after that, this issue isn't solved.


----------



## Deleted member 118788 (Oct 28, 2015)

nac said:


> I have already rad malwarebytes. I started noting down when, where it happens. Since this thread started, it happened only once i.e. redirected to bsnl.



I will still suggest you to run the other 2 tools to be sure. They are very small in size and there is no harm in running them.

- - - Updated - - -



nac said:


> Yeah, I have already reset the browser few days ago. Even after that, this issue isn't solved.



How did you reset them? If you just uninstalled and installed then it is not enough as the left overs of old profile still stays.


----------



## amjath (Oct 28, 2015)

^ he can uninstall, run ccleaner then reinstall the browser


----------



## nac (Oct 28, 2015)

Geek-With-Lens said:


> I will still suggest you to run the other 2 tools to be sure. They are very small in size and there is no harm in running them.
> How did you reset them? If you just uninstalled and installed then it is not enough as the left overs of old profile still stays.


Okay, I will try those tools. I have done few things today to fix the issue. For now, I wait and see if it happens again. Then I try them.
There is an option called reset/refresh in troubleshoot option.


----------



## vito scalleta (Oct 28, 2015)

if all else fails u can manually go through ur program files folder and also the app data folder .. and look for folders with some unusual names. this method has helped me a couple of times .


----------



## Vyom (Oct 29, 2015)

^^ That's what I do, after I find the culprit program through the list of running processes. Worked for me the last time my pc got infected with such redirecting malware.


----------



## Flash (Oct 29, 2015)

vito scalleta said:


> if all else fails u can manually go through ur program files folder and also the app data folder .. and look for folders with some unusual names. this method has helped me a couple of times .





Vyom said:


> ^^ That's what I do, after I find the culprit program through the list of running processes. Worked for me the last time my pc got infected with such redirecting malware.


Why not use Revo uninstaller, and use the Advanced mode?

*zapp5.staticworld.net/downloads/graphics/screenshots/66703f.jpg


----------



## nac (Oct 29, 2015)

Uninstalled and reinstalled firefox. Including left over files and folders and profiles and everything.
After uninstalling, I googled "how to clean traces and leftovers of mozilla" using IE and when I was opening one of the search result (askvg.com), I was redirected to "asnews". So it's not just mozilla, but also the other browser IE. Thought I could uninstall IE too, but seems like I can't.
As of now, it hasn't happened. I am using it from morning.


----------



## amjath (Oct 29, 2015)

nac said:


> Uninstalled and reinstalled firefox. Including left over files and folders and profiles and everything.
> After uninstalling, I googled "how to clean traces and leftovers of mozilla" using IE and when I was opening one of the search result (askvg.com), I was redirected to "asnews". So it's not just mozilla, but also the other browser IE. Thought I could uninstall IE too, but seems like I can't.
> As of now, it hasn't happened. I am using it from morning.



Change default search engine in IE. And the tab [webpage] when opening the IE for first time


----------



## Deleted member 118788 (Oct 30, 2015)

nac said:


> Uninstalled and reinstalled firefox. Including left over files and folders and profiles and everything.
> After uninstalling, I googled "how to clean traces and leftovers of mozilla" using IE and when I was opening one of the search result (askvg.com), I was redirected to "asnews". So it's not just mozilla, but also the other browser IE. Thought I could uninstall IE too, but seems like I can't.
> As of now, it hasn't happened. I am using it from morning.



Why don't you run AdwCleaner once?


----------



## nac (Oct 31, 2015)

Geek-With-Lens said:


> Why don't you run AdwCleaner once?


I am just going one by one, and see the it works. I will sure try it, if it happens again.
Its been more than 24hrs since the last event. 

- - - Updated - - -



amjath said:


> Change default search engine in IE. And the tab [webpage] when opening the IE for first time


Yeah, done. Default was BING, now changed to GOOGLE.


Geek-With-Lens said:


> Why don't you run AdwCleaner once?


After about 2 days, it happened again. This time, I was watching a movie trailer in youtube when it happened. 
Ran adwcleaner_5.015. It has cleared few things. I didn't uncheck anything, so it has removed everything it assumed as "junk".

- - - Updated - - -

Again it happened after running adwcleaner while watching youtube videos. Now I have ran junkware tool and hitman pro. I think I have tried all the options suggested. Now I am waiting to see if it happens again.
God, why this is so complex to find the issue?

- - - Updated - - -

 It's still happening. I saw this address before it landing on "asnews", I didn't have enough time to notice the whole address before it redirects to asnews. Hovering the cursor around the page, it shows this address  ad.adschemist.com/ex
GUYS DON'T PUNCH THIS ADDRESS AND CHECK. I DON'T KNOW IF IT'S A VIRUS OR NOT.
If any of you guys are facing/faced this problem, please let me know the solution. I am tired of this...

- - - Updated - - -

Few days ago (likely weeks ago), I saw this icon when I visit thinkdigit forum.


Spoiler



*i102.photobucket.com/albums/m108/tkphotos1/Bug%204_zps7st0gf27.png


To know what it is, I clicked and it said askmebazzar (share location or something) before I realize what it is, that icon disappeared. I tried to find it but couldn't. I guess I wrongly clicked share my location or something. It strikes me now because I notice one of the asnews link is askmebazzar. I have reset my browser the same day.

Following are the three links I see in that asnews page. If you guys know any way to find solution with this information, please let me know.


Spoiler



*i102.photobucket.com/albums/m108/tkphotos1/Bug%201_zpsdht9v9wd.png

*i102.photobucket.com/albums/m108/tkphotos1/Bug%202_zpsq27vog2l.png

*i102.photobucket.com/albums/m108/tkphotos1/Bug%203_zps6oen9sk2.png


----------



## amjath (Oct 31, 2015)

Install this ad block addon and eport back.

*addons.mozilla.org/en-US/firefox/addon/adblock-plus/

^ thats for mozilla


----------



## it_waaznt_me (Oct 31, 2015)

Can't believe I get to say this again .. Can you post your HijackThis logfile here for analysis?

Also, I believe you should check Scheduled Tasks if the problem seems to be persisting. Some "cracks" will install a scheduled task to regularly poison your dns or inject their code and this is usually overlooked while troubleshooting.


----------



## Deleted member 118788 (Oct 31, 2015)

Post Hijack This Log first then.


----------



## nac (Nov 2, 2015)

amjath said:


> Install this ad block addon and eport back.
> *addons.mozilla.org/en-US/firefox/addon/adblock-plus/
> ^ thats for mozilla


Done. But how this is gonna help me? Because, it also happened in IE too...



it_waaznt_me said:


> Can't believe I get to say this again .. Can you post your HijackThis logfile here for analysis?
> 
> Also, I believe you should check Scheduled Tasks if the problem seems to be persisting. Some "cracks" will install a scheduled task to regularly poison your dns or inject their code and this is usually overlooked while troubleshooting.





Geek-With-Lens said:


> Post Hijack This Log first then.


Ran and checked the log online. Seems good to me...

There is no event since Friday night and I haven't used PC in the weekend. Waiting to see if occurs again or not.


----------



## Deleted member 118788 (Nov 2, 2015)

nac said:


> Done. But how this is gonna help me? Because, it also happened in IE too...
> 
> 
> 
> ...



If you are so smart to check it then why did you open this thread at first place? Please also tell me how the problem will solve automatically if you have not taken any action since it's last occurrence.


----------



## Flash (Nov 2, 2015)

Geek-With-Lens said:


> If you are so smart to check it then why did you open this thread at first place? Please also tell me how the problem will solve automatically if you have not taken any action since it's last occurrence.


*media.giphy.com/media/F7yLXA5fJ5sLC/giphy.gif


----------



## nac (Nov 2, 2015)

Geek-With-Lens said:


> If you are so smart to check it then why did you open this thread at first place? Please also tell me how the problem will solve automatically if you have not taken any action since it's last occurrence.


I didn't say that. 
Did you find it offensive?
Hijackthis site have an option to submit the file for analyzing. So I did and pretty much everything was green, the ones in orange are programs I know. That's how I came to conclusion "everything seems fine". I will post the log file in an hour or so. 


Flash said:


> ...


----------



## Deleted member 118788 (Nov 2, 2015)

nac said:


> I didn't say that.
> Did you find it offensive?
> Hijackthis site have an option to submit the file for analyzing. So I did and pretty much everything was green, the ones in orange are programs I know. That's how I came to conclusion "everything seems fine". I will post the log file in an hour or so.



I didn't find it offensive but whatever suggestions have been provided here you doesn't seems to be following at all and doing what comes to your mind. So, I had asked the reason for opening the thread. You didn't replied to my second question yet.


----------



## nac (Nov 2, 2015)

Geek-With-Lens said:


> I didn't find it offensive but whatever suggestions have been provided here you doesn't seems to be following at all and doing what comes to your mind. So, I had asked the reason for opening the thread. You didn't replied to my second question yet.


Come on man, I have tried all the solution suggested so far (just posting the log file is pending). I have left a comment before leaving for the weekend saying I have tried everything.
That would be wonderful if it gets fixed automatically. But I have tried, and it was still there as of Friday night.


----------



## Deleted member 118788 (Nov 2, 2015)

nac said:


> Come on man, I have tried all the solution suggested so far (just posting the log file is pending). I have left a comment before leaving for the weekend saying I have tried everything.
> That would be wonderful if it gets fixed automatically. But I have tried, and it was still there as of Friday night.



Can you provide me team viewer access to your PC? I have cleaned a hell lot of malware infections in my life and will love to clean yours as well.


----------



## nac (Nov 2, 2015)

Here is the log...


Spoiler



Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 4:14:17 PM, on 02-Nov-2015
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.17840)

FIREFOX: 41.0.2 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\HOM\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:InPrivate
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN - Outlook, Skype, Hotmail, Messenger
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN - Outlook, Skype, Hotmail, Messenger
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call settings - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: **.hola.org
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
O18 - Protocol: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Foxit Cloud Safe Update Service (FoxitCloudUpdateService) - Foxit Software Inc. - C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TeamViewer 10 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
O23 - Service: UI Assistant Service - Unknown owner - C:\Program Files (x86)\airtel 3G\AssistantServices.exe
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: [MENTION=13195]%systemroot%[/MENTION]\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7649 bytes


----------



## it_waaznt_me (Nov 2, 2015)

You can maybe disable the Foxit cloud service from start > run > services.msc. Rest looks like your antivirus has taken care of. Also, did you check the Task Scheduler ?


----------



## nac (Nov 2, 2015)

it_waaznt_me said:


> You can maybe disable the Foxit cloud service from start > run > services.msc. Rest looks like your antivirus has taken care of. Also, did you check the Task Scheduler ?


Disabled Foxit cloud update service.
Yeah, I checked that. Those task names are new, I couldn't figure out whether a particular task is of windows or something else just by looking at the name. There is not much information about those tasks, like file location and all. I tried googled to lookup few things, after seeing the long list I stopped. In the last 24 hours the issue didn't pop up. The last known even is on Friday night, and I couldn't sort by date/time. So I am thinking of checking this if the issue pops up. Or do you guys know any way to export all the tasks in an excel or txt file and look up if it's a good one or not.

And one more thing. In that log file, there something called Hola which I think I tried it around BGT finals. But I couldn't get it to work. So I uninstalled. I don't know why it's still in my PC. Do you guys know how to find and remove it from trusted site?


----------



## Flash (Nov 2, 2015)

nac said:


> And one more thing. In that log file, there something called Hola which I think I tried it around BGT finals. But I couldn't get it to work. So I uninstalled. I don't know why it's still in my PC. Do you guys know how to find and remove it from trusted site?


Hola is a free VPN service.


----------



## dashing.sujay (Nov 3, 2015)

Manage scheduled tasks through CCleaner.

Also, check my adware/malware removal guide (in sig), you might get some help from there. Some BHO is messed up.


----------



## sinhead (Nov 3, 2015)

Bro I had a harrowing time with redirects since the last month. Nothing helped, not even malware checks in safemode. 
Finally uninstalled firefox and chrome,

Installed opera with 2 addons - adblockplus  and http switchboard
Adblockplus - ( Allow some non-intrusive advertising = switched off)
http switchboard - Enable strict blocking = on

Also updated my antivirus. 

Finally I have been able to browse at peace.


----------



## Vyom (Nov 3, 2015)

But did you know what "Exactly" was causing the problem?
They say, "If you don't know what the problem was, you never fixed it".


----------



## nac (Nov 4, 2015)

Flash said:


> Hola is a free VPN service.


Yes. But how do I remove it from "trusted zone" (there is an entry in that log file)


dashing.sujay said:


> Manage scheduled tasks through CCleaner.
> Also, check my adware/malware removal guide (in sig), you might get some help from there. Some BHO is messed up.


I will manage tasks through CCleaner. 
I checked your thread/guide. It's like a lengthy process. But I will sure do it and post my feedback.


lenin.arya said:


> Bro I had a harrowing time with redirects since the last month. Nothing helped, not even malware checks in safemode.
> Finally uninstalled firefox and chrome,
> Installed opera with 2 addons - adblockplus  and http switchboard
> Adblockplus - ( Allow some non-intrusive advertising = switched off)
> http switchboard - Enable strict blocking = on


Yeah, I learned there are many people who got affected with this redirection when I googled. 
What you have done is pretty much the same as my suggested options. I have done them. It's been four days since last event. I want to think it's gone. 


Vyom said:


> But did you know what "Exactly" was causing the problem?
> They say, "If you don't know what the problem was, you never fixed it".


NO. I don't know what exactly causing the problem.


----------



## dashing.sujay (Nov 4, 2015)

nac said:


> I will manage tasks through CCleaner.
> I checked your thread/guide. It's like a lengthy process. But I will sure do it and post my feedback.



It's not that lengthy. Since it was supposed to be a 'guide', therefore the explanatory writing style.

Plus, you already have tried half options, so it won't take much time to try others, but go serially as explained in the thread.


----------



## Flash (Nov 4, 2015)

nac said:


> Yes. But how do I remove it from "trusted zone" (there is an entry in that log file)


It's not a adware/malware. Since you've installed HOLA extension in the past, it may've logged the entry into the registry. 
Anyway, if you want to remove -

```
Open IE> Options > Open Internet Options > Security tab > Trusted sites > Click on SITES button > It will show all the trusted sites which are added.
```
Remove the ones, which you don't trust


----------



## nac (Nov 4, 2015)

dashing.sujay said:


> It's not that lengthy. Since it was supposed to be a 'guide', therefore the explanatory writing style.
> Plus, you already have tried half options, so it won't take much time to try others, but go serially as explained in the thread.


But I have done them while I was working in normal mode. Since it's suggested to try them in safe mode, I need free time to try them. So the reason for delay...


Flash said:


> It's not a adware/malware. Since you've installed HOLA extension in the past, it may've logged the entry into the registry.
> Anyway, if you want to remove -
> 
> ```
> ...


Wow!!! It's so simple. I should have googled... But after depending on tools to remove things lately, it didn't click my mind to google. Thank you.


----------



## Flash (Nov 4, 2015)

nac said:


> But I have done them while I was working in normal mode. Since it's suggested to try them in safe mode, I need free time to try them. So the reason for delay...
> 
> Wow!!! It's so simple. I should have googled... But after depending on tools to remove things lately, it didn't click my mind to google. Thank you.


I've used to add my Cl!ent's IP-based site to trusted sites. That's how i know.


----------



## nac (Nov 7, 2015)

dashing.sujay said:


> It's not that lengthy. Since it was supposed to be a 'guide', therefore the explanatory writing style.
> Plus, you already have tried half options, so it won't take much time to try others, but go serially as explained in the thread.


It's been more than one week since the last event. I hope the problem is fixed, but not sure. Went through your guide and here is my feedback. Please leave comment on what I should do about the things which I haven't fixed because of the reasons mentioned below.


> Check your computer for any unwanted program installed
> * Done.**
> Checked in add/remove programs (control panel)**
> Using CCleaner
> ...


----------



## dashing.sujay (Nov 7, 2015)

[MENTION=125321]nac[/MENTION]

For CCleaner, you might be using old verion. See this 



Spoiler



*lawrenceharvey.files.wordpress.com/2013/02/lawrence-harvey-ccleaner-tools.jpg



Rogue killer results are fine, it has history of some false detection. Try reinstalling YAC, then run it again.

Regarding Autorun, anything which appears highlighted in yellow color, simply uncheck that.

Everything else seems fine. Good try.


----------



## nac (Nov 8, 2015)

dashing.sujay said:


> For CCleaner, you might be using old verion.
> 
> Rogue killer results are fine, it has history of some false detection. Try reinstalling YAC, then run it again.
> 
> Regarding Autorun, anything which appears highlighted in yellow color, simply uncheck that.


Oops! I was just looking at the tabs on the left hand side, didn't look at the top. It's there...  BTW I am using v5.xx

So I don't need clean/fix/delete anything from rogue killar scan result? YAC is fine, just that I couldn't run it because rogue killer killed the process (YAC started @ startup). If I don't run 
Rogue killer before YAC, I think I am good to go with YAC without fresh installation.

Almost all the listed things are not highlighted. Only these three are in yellow.


Spoiler



*i102.photobucket.com/albums/m108/tkphotos1/a_run%201_zpsew75w1mk.png



And few things in red, like this


Spoiler



*i102.photobucket.com/albums/m108/tkphotos1/a_run%202_zps8sxi6msd.png


----------



## dashing.sujay (Nov 8, 2015)

Yes, you can go ahead with YAC without running Rogue killer.

In autoruns, you just have to uncheck the ones highlighted in yellow, that's it. But the result here is not here nothing sort of suspicious.


----------



## Zangetsu (Nov 9, 2015)

Just for the info.

there is a new malware on internet "*SupTab*" which redirects user to malicious websites.


----------



## nac (Nov 14, 2015)

Couldn't run YAC in safe mode. May be because of rogue killer. So uninstalled YAC and checked for suspicious files and folders in appdata, program data and program files. It's been two weeks since the last event. Thanks everyone  Thanks a lot.

Hope it's gone. If it ever comes back, I will post here.

And thanks very much for suggesting adblocker. Even though I am aware of such tool, I never bothered to try it. Because of this issue I tried it after your suggestion, now digit forum loads faster, youtube loads faster. Excellent.


----------



## dashing.sujay (Nov 15, 2015)

^Which adblock plugin you are using ?


----------



## nac (Nov 15, 2015)

dashing.sujay said:


> ^Which adblock plugin you are using ?


Mozilla add ons, adblock plus. *addons.cdn.mozilla.net/user-media/addon_icons/1/1865-64.png?modified=1439313282


----------



## amjath (Nov 15, 2015)

My office laptop yesterday while browsing Chrome redirected me to asnews.com.sg. I did not had adblock installed. I sure they are redirected because of spammed ads all over the internet.

IMO install adblock white-list the websites which you want to donate them by ads. Others simply want money from ads.


----------

