V9 portal hijacker

japchinlvr

New Member
Thread author
Apr 16, 2013
7
I;m sorry I cant do this otl asw stuff. im afraid to infect my little netbook which i need. im not a computer pro.

First - thank you so much for the instructions to remove money pak - worked like a charm. But this week I got this darn V9 and nothng seems to work. I followed your steps:

step 1- no new tab or elex programs to uninstall

step 2- no proxy add ons to delete. removed V9 search provider. made bling default. internet options general V9 has replaced the ie default home page tabe and won't be deleted

step 3 - deleted V9 from the Target

step 4 - ran adwcleaner and several v9 items were removed according to the log

step 5 - ran malwarebytes nothing found

step 6 - ran hitman pro found netwrapper.dll - quarantined

started IE - still V9, even though the default is google
went to IE properties, target has V9 again. I deleted it again. Started IE still have V9.

Help - I don't know what else to do. I have windows 7 and IE10.

Thank you
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
OTL is 100% virus-free. It will not infect your PC. It is a diagnostic tool for us helpers to see what is wrong with your PC. To validate the tool, here is a tutorial about the tool and what it does: http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/

Download OTL by Old Timer from here and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please attach the contents of these 2 Notepad files in your next reply.

If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
 

japchinlvr

New Member
Thread author
Apr 16, 2013
7
Hello - Just FYI - last thing before I went to bed last night I did IE internet options "restore advanced options". Now I do not see the V9 tab or in the "Target". But I'm concerned it's still here somewhere.

OTL files attached....

THX!
 

Attachments

  • OTL.Txt
    95.8 KB · Views: 112
  • Extras.Txt
    69.2 KB · Views: 115

Fiery

Level 1
Jan 11, 2011
2,007
Hi there,

There seems to be a suspicious file & folder on the system called Magnipic. It is an adware.

The program loads itself into the AppInit_DLLs where files under that setting will load very early on your system. Usually, rootkits use this technique to mask other malware on the system. I see you have it as an extension on chrome too, I would advise you to remove it.

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O20 - AppInit_DLLs: (c:\progra~2\magnipic\sprote~1.dll) - File not found
CHR - Extension: MagniPic = C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\leimedjljnbdkhjglollaialjcngkfdb\1\
CHR - Extension: MagniPic = C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\fejhacogechociploajgdedklpanhegc\1\

:Files
c:\progra~2\magnipic
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Next, Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 

japchinlvr

New Member
Thread author
Apr 16, 2013
7
Hello - ran OTL and mbar twice. Nothing found on the second mbar. Logs attached.

Do I have to do something with Chrome? I have never used it so I don't know where things are.

OTL log:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~2\magnipic\sprote~1.dll deleted successfully.
C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\leimedjljnbdkhjglollaialjcngkfdb\1 folder moved successfully.
C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\fejhacogechociploajgdedklpanhegc\1 folder moved successfully.
File PTYTEMP] not found.
File SETHOSTS] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 04182013_200700

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

Attachments

  • mbar-log-2013-04-18 (20-43-25).txt
    1.9 KB · Views: 90
  • mbar-log-2013-04-18 (21-21-12).txt
    1.8 KB · Views: 94
  • system-log.txt
    53.3 KB · Views: 107

Fiery

Level 1
Jan 11, 2011
2,007
Ok.

Update Malwarebytes Anti-malware and do a Quick Scan.

Then Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
 

japchinlvr

New Member
Thread author
Apr 16, 2013
7
Hello - I ran malwarebytes - nothing found.

I ran the NOD32 antivirus 6. I did not see the settings you specified so I ran the "smart scan". 37 items cleaned. I couldn't attach the log - it was 179 pages long in a txt file. I don't have winzip at home.

OMG - will my computer ever be safe? Seems unending.

THX! for all your help.
 

Fiery

Level 1
Jan 11, 2011
2,007
179 pages? :s That is unusual..

Download Kaspersky Virus Removal Tool <a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">from here</a></> <em>(Download Version 11. You'll have to enter your email address and name)</em>
<ol>
<li>Double-click the file and follow the on-screen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Computer</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
</ul>
</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
 
Last edited by a moderator:

japchinlvr

New Member
Thread author
Apr 16, 2013
7
Hello - I think it's OK. I haven't seen any sign of the V9 Portal. You're awesome!

You guys have a donation page anywhere?

Many Thanks!
 

Fiery

Level 1
Jan 11, 2011
2,007
You`re welcome! And yes, mine is here:

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.


If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

If you have any other questions or concerns, feel free to ask :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top