fb Downloader removal issues

[Abuelo]

I'm a big fan of the work you do on this website and normally your instructions on the blog work a charm. I'd be very grateful for any help that you can offer with this issue.

 

[Fiery]

Hi and welcome to MalwareTips!

I'n Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Your infection is actually worse than it seems. There is a nasty rootkit that we have to remove.

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.fbdownloader.com/?channel=sfuk205
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://search.fbdownloader.com/search.php?channel=sfuk205&q={searchTerms}
FF - prefs.js..browser.search.defaulturl: "http://search.fbdownloader.com/search.php?channel=sfuk205&q="
FF - prefs.js..browser.startup.homepage: "http://search.fbdownloader.com/?channel=sfuk205"
FF - prefs.js..keyword.URL: "http://search.fbdownloader.com/search.php?channel=sfuk205&q=
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.


:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

---

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a USB/flash drive.
For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

Also download List Parts 32bit or Listparts 64 bit and save it to the USB/flash drive also.

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Back in the command prompt, type <><span style="color: #ff0000;">e</span>:\listparts.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\listparts64.exe</>) and press <>Enter</>
<li>ListParts will start to run. Check the box beside List BCD and click Scan
<li>When finished scanning it will make a log Result.txt on the flash drive
<li>Type exit</li>
<li>Please copy and paste both FRST.txt and Result.txt logs in your next reply</li></li>
</ol>
</ul>

 

[Abuelo]

Hi Fiery

Thank you for your time and for identifying a larger problem. I have attached the files as requested.

I don't know if it is important but on a few occasions restarting my computer failed and I had to run the Windows Startup Repair tool.

Looking forward to further advice.

 

[Fiery]

Hi, let's get rid of some malware. They are preventing you from booting up properly sometimes. You are infected with the ZeroAccess rootkit, you can google that if you want to read more about it. Did you also run the OTL fix? If not, do the fix below first so you can boot properly to allow OTL to finish the deleting process.

Open notepad and copy & paste the following:

start
HKU\Dan\...\Run: [SCheck] "C:\Users\Dan\AppData\Roaming\SCheck\SCheck.exe" check [41984 2012-12-19] ()
HKU\Dan\...\Run: [SSync] "C:\Users\Dan\AppData\Roaming\SSync\SSync.exe" [41984 2012-12-19] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$efd8300e57d98426a0bc288ca2382ba0\n. ATTENTION! ====> ZeroAccess
C:\$Recycle.Bin\S-1-5-18\$efd8300e57d98426a0bc288ca2382ba0\n
2013-02-16 10:59 - 2013-02-16 10:59 - 00000000 ____D C:\Users\Dan\Application Data\SCheck
2013-02-16 10:59 - 2013-02-16 10:59 - 00000000 ____D C:\Users\Dan\Application Data\Common
2013-02-16 10:59 - 2013-02-16 10:59 - 00000000 ____D C:\Users\Dan\AppData\Roaming\SCheck
2013-02-16 10:59 - 2013-02-16 10:59 - 00000000 ____D C:\Users\Dan\AppData\Roaming\Common
2013-02-16 11:00 - 2013-02-16 11:00 - 00000000 ____D C:\Users\Dan\Application Data\SSync
2013-02-16 11:00 - 2013-02-16 11:00 - 00000000 ____D C:\Users\Dan\AppData\Roaming\SSync
Folder: C:\Users\Dan\Desktop\76561198005397767
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Try rebooting to normal mode now.

 

[Abuelo]

Hi Fiery

Sorry, I did run the OTL fix previously mentioned

Attached is the new fixlog

 

[Fiery]

That is ok, did OTL provide a log once you rebooted? If so, attach that log as well.

Now, please do a new FRST scan so I can make sure the infection is gone.

 

[Abuelo]

That is ok, did OTL provide a log once you rebooted? If so, attach that log as well.

Now, please do a new FRST scan so I can make sure the infection is gone.

The Attachment system won't allow me to upload the OTL log, please find the information below:

All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}\ not found.
Prefs.js: "http://search.fbdownloader.com/search.php?channel=sfuk205&q=" removed from browser.search.defaulturl
Prefs.js: "http://search.fbdownloader.com/?channel=sfuk205" removed from browser.startup.homepage
Prefs.js: "http://search.fbdownloader.com/search.php?channel=sfuk205&q= removed from keyword.URL
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Dan\Downloads\cmd.bat deleted successfully.
C:\Users\Dan\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Dan
->Temp folder emptied: 75591326 bytes
->Temporary Internet Files folder emptied: 76171138 bytes
->Java cache emptied: 479638 bytes
->FireFox cache emptied: 2578201 bytes
->Google Chrome cache emptied: 41490927 bytes
->Flash cache emptied: 938 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User

User: Guest

User: HomeGroupUser$

User: matt
->Temp folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 78028 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 46433401 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 232.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 02192013_175335

Files\Folders moved on Reboot...
C:\Users\Dan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QVCBI0QR\index[1].htm moved successfully.
File\Folder C:\Windows\temp\hsperfdata_DAN-PC$\2060 not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Just to check, do you need me to do a scan with both FRST and ListParts as per the previous steps, or just FRST?

 

[Fiery]

Just the FRST scan will be fine

 

[Abuelo]

Just the FRST scan will be fine

Hi fiery

When attempting to run the scan my PC is dumping into a hibernation like mode that is only escape able through qa power cut. This is occurring at seemingly random times during the repair my computer phase (sometimes when the scan is running).

Do you have any advice?

 

[Fiery]

Has that been happening before the last FRST fix or after?

 

[Abuelo]

Has that been happening before the last FRST fix or after?

Hi Fiery

I suspect it was simply an overheating issue as I run a high uptime. Leaving my computer off for a few minutes allowed me to complete a full scan. Log attached!

(PS On an unrelated note, I accidentally clicked Report on your last post so if there is some sort of flag please accept my apologies! makes me seem extremely ungrateful!)

 

[Fiery]

Haha that's ok, I never got the report

I just want to make sure, did you create this folder? Do you know anything about it? It is on your desktop. C:\Users\Dan\Desktop\76561198005397767

Let's do one more scan to make sure you are clean. Also, let me know how your PC is functioning. Are you still getting the redirects?

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• Re-enable your antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[Abuelo]

Yes that is a folder known to me, I can see why it would look suspicious!

I am no longer experiencing redirects or browser settings changes on any browser. I am currently running the ESET scanner, last time I ran such a scan it took an hour so i'll post the log when it finishes

Your help is greatly appreciated

 

[Fiery]

Yes that is a folder known to me, I can see why it would look suspicious!

Yes though malware usually don't install itself to the Desktop, that would be dumb for the malware author Just wanted to make sure

Ok, let me know when the scan completes. It will take a few hours

 

[Abuelo]

Hi Fiery

Logs attached, some clarifications

The reference to CheatEngine is a memory hack tool that allows you to locate memory keys used by running applications (Pc games) - if I am at risk by having usch a tool and your advice is to remove it then I will destroy it

The following entry:

sh=553B685F5F02CA37A3C61FA96E8E7AE77AE24F69 ft=1 fh=a1e7991b07f47d08 vn="a variant of Win32/SoftonicDownloader.E application" ac=I fn="C:\Users\Dan\Downloads\SoftonicDownloader_for_surgeon-simulator-2013.exe"

This is the original exe that installed the fbdownloader and wajam software. I assume that this should be deleted? I use a tool called Eraser for secure deletion.

Looking forward to further tips

 

[Fiery]

Yes, delete C:\Users\Dan\Downloads\SoftonicDownloader_for_surgeon-simulator-2013.exe and C:\Users\Dan\Downloads\dfx10Setup.exe (unless you know what that is)

The CheatEngine should be fine, as long as you know what it is and what it does.

Are you experiencing any other issues that require assistance? If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall

---

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link

---

Keep your system updated

• Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

• avast! 7 Home Edition - Don't use it with Online Armor
• Avira AntiVir Personal
• BitDefender Antivirus Free Edition
• Microsoft Security Essentials

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.

• Online Armor
• Comodo Firewall - If you are an advance user
• ZoneAlarm Free Firewall
• PC Tool Firewall Plus

Other steps that you may want to do to further protect your system/files:

• Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
• Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
​

 

[Abuelo]

That's excellent, thank you very much for your help today!

I couldn't afford the level of tech support you just gave me but please accept my meager donation as a thank you and a recognition of the excellent service you and this website offer people like me.

 

[Fiery]

Thank you, it was my pleasure to help you.

Take care