fbdownloader infection

freeR2

New Member
Thread author
Feb 24, 2013
8
Greetings and good wishes Fiery,

Your assistance with the removal of the fbdownloader virus from this droid/computer please would be greatly appreciated. Please see the specifics included in the attached scan log files and system/situation information included.

Is there any other diagnostic tools that need to be run at this time please? Or any additional steps necessary? Please advise.

Thank-you in advance for your time, service and help with this issue.

Best regards,
FreeR2
 

Attachments

  • AdwCleaner[R2].txt
    2.8 KB · Views: 88
  • JRT[R2].txt
    3.8 KB · Views: 92
  • OTL[R2].Txt
    91.5 KB · Views: 127
  • Extras[R2].Txt
    40.5 KB · Views: 107

Fiery

Level 1
Jan 11, 2011
2,007
Hi there,

Can you run a new OTL scan since the system has changed after you ran JRT and adwcleaner. Good thing is, I see the problematic files :)
 

freeR2

New Member
Thread author
Feb 24, 2013
8
Fiery said:
Hi there,

Can you run a new OTL scan since the system has changed after you ran JRT and adwcleaner. Good thing is, I see the problematic files :)

Hello there and thank-you for your reply and help.

Certainly. Please see the attached file, which is the requested new OTL scan since running JRT.

Glad to hear the problematic files have been spotted. :)
 

Attachments

  • OTL2[R2].Txt
    89.3 KB · Views: 88

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.fbdownloader.com/?channel=sfuk205
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://search.fbdownloader.com/search.php?channel=sfuk205&q={searchTerms}
FF - prefs.js..browser.search.defaulturl: "http://search.fbdownloader.com/search.php?channel=sfuk205&q="
FF - prefs.js..keyword.URL: "http://search.fbdownloader.com/search.php?channel=sfuk205&q="
CHR - homepage: http:\/\/search.fbdownloader.com\/?channel=sfuk205
CHR - default_search_provider: FBDownloader Search (Enabled)
CHR - default_search_provider: search_url = http:\/\/search.fbdownloader.com\/search.php?channel=sfuk205&q={searchTerms}
O4 - HKCU..\Run: [DataMgr] "C:\Documents and Settings\Super User\Application Data\DataMgr\DataMgr.exe" File not found
O4 - HKCU..\Run: [SCheck] C:\Documents and Settings\Super User\Application Data\SCheck\SCheck.exe ()
O4 - HKCU..\Run: [SSync] C:\Documents and Settings\Super User\Application Data\SSync\SSync.exe ()

:Files
C:\Documents and Settings\Super User\Application Data\SSync
C:\Documents and Settings\Super User\Application Data\SCheck
C:\Documents and Settings\Super User\Application Data\DataMgr
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot and then post the log afterwards. Let me know if you are still getting the redirects after.
 

freeR2

New Member
Thread author
Feb 24, 2013
8
Fiery said:
Hi,

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.fbdownloader.com/?channel=sfuk205
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://search.fbdownloader.com/search.php?channel=sfuk205&q={searchTerms}
FF - prefs.js..browser.search.defaulturl: "http://search.fbdownloader.com/search.php?channel=sfuk205&q="
FF - prefs.js..keyword.URL: "http://search.fbdownloader.com/search.php?channel=sfuk205&q="
CHR - homepage: http:\/\/search.fbdownloader.com\/?channel=sfuk205
CHR - default_search_provider: FBDownloader Search (Enabled)
CHR - default_search_provider: search_url = http:\/\/search.fbdownloader.com\/search.php?channel=sfuk205&q={searchTerms}
O4 - HKCU..\Run: [DataMgr] "C:\Documents and Settings\Super User\Application Data\DataMgr\DataMgr.exe" File not found
O4 - HKCU..\Run: [SCheck] C:\Documents and Settings\Super User\Application Data\SCheck\SCheck.exe ()
O4 - HKCU..\Run: [SSync] C:\Documents and Settings\Super User\Application Data\SSync\SSync.exe ()

:Files
C:\Documents and Settings\Super User\Application Data\SSync
C:\Documents and Settings\Super User\Application Data\SCheck
C:\Documents and Settings\Super User\Application Data\DataMgr
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot and then post the log afterwards. Let me know if you are still getting the redirects after.

Hi. Thank-you. Done.

Please see the attached file. It did not want to attach as a .txt file (with a number only for its file name) so the contents have been copied and pasted into the attached Word doc.

While fbdownloader no longer automatically becomes the default search engine, it still became the home page in Firefox on boot up.

Any thoughts please on what to do next?


Update: Upon rebooting a second time, fbdownloader no longer hijacks the home page in Firefox (nor the separate search engine on the task bar). This has been double-checked by rebooting a third time, where neither the home page nor the default search engine were hijacked by fbdownloader.

Thank-you very much. What should be done next to double-check everything else please? Shall another scan be done with Adwcleaner, OTL and/or JRT? Please advise.
 

Attachments

  • OTL Run-Fix Log.doc
    26 KB · Views: 98

Fiery

Level 1
Jan 11, 2011
2,007
Good, now let's run 2 scans to check for any remnants :)

Please download Malwarebytes' Anti-Malware from here to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next, run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
 

freeR2

New Member
Thread author
Feb 24, 2013
8
Thank-you again Fiery for your continued assistance. Please see the two log files from the requested scans attached.

There are a couple of minor notes about the Malwarebytes that feel worth sharing.

There was no "Show Results" found, but the log tab provided access to view the results.

The following option/item was also not found, so this step has not been completed:
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.

The ESET online scan detected two potential threats, one of which was a softonicdownloader E. application variant confirming the source of the fbdownloader virus in this case.

Please advise on how to proceed.

Thank-you.
 

Attachments

  • mbam-log-2013-02-26 (02-40-46).txt
    1.8 KB · Views: 100
  • eset26feb13.txt
    310 bytes · Views: 91

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Navigate to C:\Documents and Settings\Super User\My Documents\Downloads\Setup-exe files\SoftonicDownloader_for_macromedia-flashpaper.exe and delete the file manually. It is in your download folder, as long as you don't run the application again, you'll be fine.

Please update your Java from here as it is outdated.

Also update your adobe reader here to version 11.

Is there anything else I could help you with? If not, we will clean up here.

If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall




Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link




Keep your system updated
  • Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here


In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.


Other steps that you may want to do to further protect your system/files:
  • Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
  • Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.


Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.


Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
 

freeR2

New Member
Thread author
Feb 24, 2013
8
Good day and good wishes Fiery.

Thank-you for your reply and kind assistance with everything.

The file deletion is done; looks like the issue has been resolved/cleaned up.

Thanksamillion.

Best regards,
FreeR2
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top