Deleted Internet shortcut keeps returning when I start me computer.

[Saigonjeff]

Hi Everyone!

I am having a really frustrating time resolving this issue.

A few days ago, I noticed an internet shortcut to a stupid Vietnamese website called Laban.vn and My browsers homepage was hijacked and changed to this miserable site as well. I have absolutely no idea how it got there or where it came from! So I reset my browser to my Google+ homepage and deleted the desktop shortcut and went on about my work. I shut down for the day thinking the issue was taken care of. The next day I start up my PC and low and behold... that damned shortcut is back!!! and my browser has been hijacked again!!! I have run every kind of virus and malware scan there is and none of them found anything! :mad2:

I'm at my wits end... I just can't get rid of this annoying thing!:banghead:

Any ideas or advice would be greatly appreciated!

 

[cottonball]

Saigonjeff,

Please do the following...this tool normally detects hard to find malware.


:info: Download the Farbar Recovery Scan Tool
Select the 64-bit version.



Save it to the Desktop.

• Double-click the downloaded file to run it.
• When the tool opens click Yes to disclaimer.
• Press the Scan button.
• FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply. <<---


The first time the tool is run, it also makes another log: Addition.txt
Also post the Addition.txt in your reply. <<---

 

[Saigonjeff]

Should I restart and let the thing happen again before running FRST?

I have Superantispyware set to prevent the browser change as well...

 

[cottonball]

Should I restart and let the thing happen again before running FRST?

That's a good idea!

 

[Saigonjeff]

OK... Attached is the files your requested... I have also included a text file with the url of the malicious site as it is entered into IE when it hijack my home page.

 

[cottonball]

Saigonjeff,

Please do the following...

:info: Open Notepad (Start > All Programs > Accessories > Notepad)

Copy/paste all the contents inside the quote box below to Notepad (do not copy the word 'Quote').
Save it on the Desktop as: fixlist.txt

start
HKCU\...\Runonce: [lbro] F:\Users\Jeff\AppData\Roaming\laban.exe -ro 001 [x]
HKCU\...\Winlogon: [Shell] explorer.exe <==== ATTENTION
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laban.vn/?utm_source=001&u=7260d6f9544013295f2570bb0b19f97f27ad
FF Homepage: hxxp://www.laban.vn/?utm_source=001&u=7260d6f9544013295f2570bb0b19f97f27ad
CHR RestoreOnStartup: "hxxp://www.laban.vn/?utm_source=001&u=7260d6f9544013295f2570bb0b19f97f27ad
2013-07-05 12:41 - 2013-07-05 12:41 - 00000161 ____A F:\Documents and Settings\Jeff\Desktop\Laban.vn.url
2013-07-03 14:07 - 2013-07-03 14:06 - 00513832 ____A (VNG Corporation) F:\Documents and Settings\Jeff\Application Data\laban.exe
2013-07-03 14:07 - 2013-07-03 14:06 - 00513832 ____A (VNG Corporation) F:\Documents and Settings\Jeff\AppData\Roaming\laban.exe
2013-07-05 12:41 - 2013-07-05 12:41 - 00000161 ____A F:\Documents and Settings\Jeff\Desktop\Laban.vn.url
2013-07-03 14:06 - 2013-07-03 14:07 - 00513832 ____A (VNG Corporation) F:\Documents and Settings\Jeff\Application Data\laban.exe
2013-07-03 14:06 - 2013-07-03 14:07 - 00513832 ____A (VNG Corporation) F:\Documents and Settings\Jeff\AppData\Roaming\laban.exe
end

WARNING: This script is written specifically for Saigonjeff, for use on this particular computer. Running the script on another computer may cause damage to the Operating System!!

Run FRST again, but this time press the Fix button just once, and wait.

When done, the tool makes a log on the Desktop.
This time it is called: Fixlog.txt

Please post Fixlog.txt in your reply.


:info: Also, please press on with Downloading MiniToolBox
Save to the Desktop. <<--
Double-click the downloaded file to run it.

Image courtesy of BleepingComputer:

When the above console opens, please check the following boxes:

• Flush DNS
• Report IE Proxy Settings
• Report FF Proxy Settings (Only if you use FireFox)
• List content of Hosts

Click: Go


Please post the Result.txt in your reply.
(A copy of Result.txt is also saved on the Desktop.)

 

[Saigonjeff]

Done... The files your requested are attached.

 

[cottonball]

Please open your Chrome browser.

Click on the Custumize and Control Google Chrome button (Top right - button with 3 horizontal bars)
Select: Settings

In the Settings area, go to: On startup
Tick: Open a specific page or set of pages > Set pages

In the prompt that appears (Startup pages), click: Add a new page
From there, select the new page you want to use, and delete any reference to the Laban.vn website.

Restart the computer, and post back on how it goes. Is the Laban.vn website still taking over?

 

[Saigonjeff]

Thank you so much!
No more shortcut popping onto my desktop, and my browser are no longer being hijacked after restarting the computer...!

Finally I'm rid of it!

Can you give me any idea of how it may have gotten there? Was it some software I installed or some other malicious script somewhere? I'd really like to find out so I can avoid it happening again...!

Thanks again!

 

[cottonball]

Saigonjeff,

Laban.vn looks like some sort of Yahoo like website:
http://www.vng.com.vn/en/
Can't say it is malicious, but it sure installs with a grip.
There are programs that come 'bundled' with other 'goodies', so, you may have gotten it while downloading something else. Need to watch the download closely to make sure you are not installing any "extras'!

There is also some adware/junkware in the system, so, please do the following:

:info: Download AdwCleaner:

http://www.bleepingcomputer.com/download/adwcleaner/

• Save the program to the Desktop
• Close all open programs and internet browsers.
• Right-click on adwcleaner.exe and select: Run As Administrator
• At the program console, click on: Delete
• When the program is done, the computer is rebooted automatically, and a text file opens after the restart.

Please post the AdwCleaner report in your reply. <<<---


:info: Also use the Junkware Removal Tool Download
Save to the Desktop.

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications.
These programs may interfere with the running of JRT.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides


Right-click JRT.exe and select: Run as Administrator
The tool opens and starts scanning the system. Please be patient as this can take a while...

When done, a report, JRT.txt is saved on the Desktop.

Please post the contents of JRT.txt in your reply.


:info: Last, let’s check your Security status with the following...

Download Security Check:
http://screen317.spywareinfoforum.org/
Save to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside the black box.

When done, a Notepad report opens automatically, called: checkup.txt

Please post the checkup.txt in your reply.

(Please do not take any corrective actions!)