Solved lah requesting help removing 'api.recomm.me ' Binary Watchdog malware

[lahudnell]

Hi,
I need help removing the annoying 'api.recomm.me' or Binary Watchdog malware that is hidden somewhere on my computer system. I will start with the recommended scans.

 

[TwinHeadedEagle]

Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.
  
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay for the repair.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

[lahudnell]

Hi THE,

I have completed the FRST scan and attached both log files (FRST.txt and Addition.txt)

Thanks

 

[TwinHeadedEagle]

Scan with ZOEK

Please download by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

[lahudnell]

Okay THE,

Here is the results of zoek. I had to copy and paste the contents of the file because it would not upload. Thanks again for your help.


Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Lionel on Sun 06/21/2015 at 20:26:32.47.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Lionel\Downloads\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2015-06-12-030719.log 16847 bytes

==== System Restore Info ======================

6/21/2015 8:29:49 PM Zoek.exe System Restore Point Created Successfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"online_banking_08806E753BE44495B44E90AA2513BDC5@kaspersky.com"="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\FFExt\online_banking@kaspersky.com" [03/17/2015 11:47 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Lionel\AppData\Roaming\eMusic\eMusic Download Manager\Profiles\7uju956j.default
- eMusic - Apple iTunes Support - C:\Program Files (x86)\eMusic Download Manager\xulrunner\extensions\dlm_itunes@emusic.com
- eMusic - Nullsoft Winamp Support - C:\Program Files (x86)\eMusic Download Manager\xulrunner\extensions\dlm_winamp@emusic.com
- eMusic - Microsoft Media Player Support - C:\Program Files (x86)\eMusic Download Manager\xulrunner\extensions\dlm_wmp@emusic.com

==== Firefox Plugins ======================


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
dbhjdbfgekjfcfkkfjjmlmojhbllhbho - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho[]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx[01/17/2012 11:45 AM]

Chrome Hotword Shared Module - Lionel\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Skype Click to Call - Lionel\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Mini Ninjas - Lionel\AppData\Local\Google\Chrome\User Data\Default\Extensions\oijfbknbncemokdnlboeabbcfhobechi

==== Chromium Startpages ======================

C:\Users\Lionel\AppData\Local\Google\Chrome\User Data\Default\Preferences
estinationOrigin\":\"local\",\"customMargins\":null}","savePath":"C:\\Users\\Lionel\\Desktop"}},"profile":{"avatar_bubble_tutorial_shown":1,"avatar_index":0,"content_settings":{"clear_on_exit_migrated":true,"exceptions":{"app_banner":{},"auto_select_certificate":{},"automatic_downloads":{},"cookies":{},"fullscreen":{},"geolocation":{},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{},"plugins":{},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{"http://www.wyndhamhotelgroup.com:80,http://www.wyndhamhotelgroup.com:80":{"geolocation":2},"https://tmobile.ecustomersupport.com:443,https://tmobile.ecustomersupport.com:443":{"geolocation":2}},"pref_version":1},"default_content_settings":{},"exit_type":"Crashed","exited_cleanly":true,"icon_version":3,"managed_user_id":"","migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"multiple_profile_prefs_version":1,"name":"Default Profile","password_manager_enabled":false,"password_manager_groups_for_domains":[3,null,null,null,null,9],"per_host_zoom_levels":{}},"protection":{"macs":{}},"savefile":{"default_directory":"C:\\Users\\Lionel\\Downloads","type":0},"selectfile":{"last_directory":"C:\\misc dsktop"},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13034058554206209"},"settings":{"privacy":{"drm_salt":"C11150507FDADF0774E3DEA9E12BEB0DE9115E79D9A1C23FB6A3ABE25CC178BB"}},"spdy":{"servers":["lh6.googleusercontent.com:443","news.google.com:443","lh5.googleusercontent.com:443","gg.google.com:443","clients6.google.com:443","lh4.googleusercontent.com:443","ajax.googleapis.com:443","accounts.google.com:443","mail-attachment.googleusercontent.com:443","plusone.google.com:443","toolbarqueries.google.com:443","i3.ytimg.com:443","apis.google.com:443","chatenabled.mail.google.com:443","i2.ytimg.com:443","securepubads.g.doubleclick.net:443","id.google.com:443","partner.googleadservices.com:443","dl-ssl.google.com:443","support.google.com:443","static.doubleclick.net:443","googleads.g.doubleclick.net:443","pagead2.googleadservices.com:443","www.googleadservices.com:443","lh3.googleusercontent.com:443","ssl.gstatic.com:443","accounts.youtube.com:443","fonts.googleapis.com:443","ad.doubleclick.net:443","mail.google.com:443","www.google.com:443","themes.googleusercontent.com:443","ssl.google-analytics.com:443","www.gmail.com:443","clients2.google.com:443","plus.google.com:443","pagead2.googlesyndication.com:443","fls.doubleclick.net:443"]},"sync":{"suppress_start":true},"tabs":{"use_compact_navigation_bar":false,"use_vertical_tabs":false},"translate_accepted_count":{"es":0,"ja":0},"translate_blocked_languages":["en"],"translate_denied_count":{"es":5,"ja":2},"translate_last_denied_time":1431865608206.644,"translate_site_blacklist":["www.livewell1demo.com"],"translate_whitelists":{},"webkit":{"webprefs":{"inspector_settings":"lastActivePanel:string:elements\n"}},"zerosuggest":{"cachedresults":""}}
61","username":"144FACE5906C4F447F973681F7C47CFC0B725299F31C0BE73C900991C31F0B5F"}},"homepage":"C852D2E14F5CB3D54D20A5B8359EC32E0E540ED0DE3F7ECEFA89ED80DD8C27FD","homepage_is_newtabpage":"CAE9C70C2EB1D3C440BC8973DE565E8F863587223A791546217030E5D8F4B495","pinned_tabs":"2914BCDEBF5B5FD7F020A66862DC99956997B487FE3264958588D2FD833924C1","prefs":{"preference_reset_time":"E9F625154E675D221280150E98D0E7E7E339ADDEDD6FDABA5F159DCDB7C9C12C"},"profile":{"reset_prompt_memento":"EFDF211E7AB864952C9E0866F2448D19CB18C088B2BCA15D0FB06142FBE92631"},"safebrowsing":{"incidents_sent":"9F5F8C4F0D2CBD1B9FBD033FF56316E96458C3A1F72461340A71712497DEF094"},"search_provider_overrides":"653E2FDE809581FFB734322D7C7D57E8EE91EEC3313852ECA9F95D0C745A1BEB","session":{"restore_on_startup":"B95FA4A7DD24849344B6F091B66CAC6BEBB456AFD49C3DE688F1CB888DFBB595","startup_urls":"A8C419FDBFE1DD5FE82D2850A2F60CF386C9DB9474080A083932EE603141E94A"},"software_reporter":{"prompt_reason":"6ACEFFE4CA29AA38EF25D26750E6BEF33D6DBBBB9816CA13A4304A7C1BE4F012","prompt_seed":"7C7FB288339AFE8263CBFBF4A63BCE521F30F0691F67A4094BB02479F09F3FC7","prompt_version":"72861789FB0975A51E646DE4A538636EDF50DAE67C44820424A95F11C0BF4D96"},"sync":{"remaining_rollback_tries":"68B60B9B645C53EA21378E8814E7106DB58D393006674A9ACB858DC1BD6A5AC9"}},"super_mac":"755A51A9B64D700CD15557363C953C67BA5DAF461CC92917D87FC0E1FE762D1A"},"session":{"startup_urls":["http://www.comcast.net/"]},"sync":{"remaining_rollback_tries":0}}


==== Chromium Fix ======================

C:\Users\Lionel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.mcgheeswasteremovalservices.com_0.localstorage deleted successfully
C:\Users\Lionel\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.mcgheeswasteremovalservices.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.comcast.net/"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.comcast.net/"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{6A524430-0EB4-416D-BBEB-14D6138C0BF0}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{6A524430-0EB4-416D-BBEB-14D6138C0BF0} Bing Url="http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox"

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Lionel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Lionel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Lionel\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=9 folders=2 7893963 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Lionel\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Lionel\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Sun 06/21/2015 at 21:27:16.57 ======================

 

[TwinHeadedEagle]

How is the situation now?

 

[lahudnell]

Sorry for the slow response. I just opened a couple browser tabs in Chrome and the api.recomm.me redirecting is still happening. The malware is not gone yet.

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

[lahudnell]

Results of the FRST scan done on 6/27/15. Just as a side note. I have been using my computer on the internet today and
so far (fingers crossed) I have had no redirects. Could the malware be gone?

Thanks for looking at this again.

 

[TwinHeadedEagle]

Yes, PC seems clean.

 

[lahudnell]

Thank you, thank you, thank you! I will submit a donation soon.

Also, I have another issue on a different computer so I may open a new thread shortly concerning that. I want to browse the other threads first to see if it has been fixed for others.

 

[TwinHeadedEagle]

Okay, you can open a new topic.

 

[lahudnell]

Thank you, thank you, thank you! I will submit a donation soon.

Also, I have another issue on a different computer so I may open a new thread shortly concerning that. I want to browse the other threads first to see if it has been fixed for others.

**** Not so fast. ): As of today 6/29/2015 the malware is back. What do I need to do to keep this thing out? I have Kaperskey
Total Internet Security active on my pc but it doesn't seem to work. I use www.comcast.net as my default website when the
browser opens, could it be getting in through comcast.net?

 

[TwinHeadedEagle]

Does it happen in all browsers?

 

[lahudnell]

Hi THE,

Sorry for the slow response. I just finished some more "testing" with Chrome and Internet Explorer. I use Chrome 99% of the time.

At this time it does not seem to be happening in IE. I am getting redirected to at least two different sites when using Chrome now.
They are PeakProfitsFormula.com and FatCrusherSystem.com

This is crazy. I can't figure out where this is coming from. I suspect my default website/homepage Comcast.net, but I can't prove it.

Should I scan again? More importantly, are there some settings I can turn on in Kaspersky to prevent this stuff?

 

[TwinHeadedEagle]

Can you reinstall Google Chrome?

 

[lahudnell]

I have not done it before but I will find out how to do it and let you know how it goes.

Thanks. Stay tuned.

 

[lahudnell]

THE,

So far so good. I uninstalled and then reinstalled Chrome and that *may* have done the trick. I will continue using the browser
and see what happens. Let's leave this thread open for a day or so. I will open another thread concerning my other computer
shortly. It was a victim of the CryptoLocker ransomware a few months ago. After reading in the forum I am hoping I have a chance
to decrypt the files.

 

[TwinHeadedEagle]

Good. I will mark this as SOLVED then.