Further advice on how to remove webalta.ru needed

[Dante2001]

Hello,
This is my first post here and I have a problem removing the webalta.ru malware from my computer. I've followed the steps on this site and on others down to the letter, installing various anti malware software but still webalta.ru appears by default when I open IE or Chrome. The guide did help me remove dangerous cookies etc. I removed registry keys associated with the malware in safe mode but this didn't fix the problem either. Does anyone have any further advice on how to remove the problem? I'm not very savvy concerning virus/malware/trojan removal so please forgive any of my obvious errors/omissions.
Thanks in advance,
Dante2001

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
[2013/07/25 18:09:01 | 000,250,090 | ---- | M] () -- C:\ProgramData\1374772072.bdinstall.bin
[2013/07/19 01:29:26 | 000,101,133 | ---- | M] () -- C:\ProgramData\1374187858.6852.bin
[2013/07/18 23:54:02 | 000,019,972 | ---- | M] () -- C:\ProgramData\1374187858.6124.bin
[2013/07/18 23:53:28 | 000,003,008 | ---- | M] () -- C:\ProgramData\1374187858.6264.bin
[2013/07/18 23:51:16 | 000,002,249 | ---- | M] () -- C:\ProgramData\1374187858.6560.bin

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

 

[Dante2001]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
[2013/07/25 18:09:01 | 000,250,090 | ---- | M] () -- C:\ProgramData\1374772072.bdinstall.bin
[2013/07/19 01:29:26 | 000,101,133 | ---- | M] () -- C:\ProgramData\1374187858.6852.bin
[2013/07/18 23:54:02 | 000,019,972 | ---- | M] () -- C:\ProgramData\1374187858.6124.bin
[2013/07/18 23:53:28 | 000,003,008 | ---- | M] () -- C:\ProgramData\1374187858.6264.bin
[2013/07/18 23:51:16 | 000,002,249 | ---- | M] () -- C:\ProgramData\1374187858.6560.bin

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

Hey Fiery,
Cheers for the quick response. I've done the OTL custom scan as you wrote it. I'll follow the other steps you suggested shortly.

 

[Dante2001]

For some reason I'm unable to attach the results of the OTL scan. Here's its content copied and pasted.
All processes killed
========== OTL ==========
C:\ProgramData\1374772072.bdinstall.bin moved successfully.
C:\ProgramData\1374187858.6852.bin moved successfully.
C:\ProgramData\1374187858.6124.bin moved successfully.
C:\ProgramData\1374187858.6264.bin moved successfully.
C:\ProgramData\1374187858.6560.bin moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default.migrated

User: Public

User: Dante
->Temp folder emptied: 377779 bytes
->Temporary Internet Files folder emptied: 33019 bytes
->Java cache emptied: 100440 bytes
->Google Chrome cache emptied: 7584213 bytes
->Flash cache emptied: 506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1715768 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 200900 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 2782795 bytes

Total Files Cleaned = 12.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 08162013_162314

Files\Folders moved on Reboot...
C:\Users\Dante\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Fiery]

is webalta.ru still there?

 

[Dante2001]

Sorry for the late reply, was away on a short break. Attached is the log of the AdwCleaner, JRT and RogueKiller scan. Webalta is still there though.

 

[Fiery]

Have you tried going into Chrome and IE add-on managers to see if you have some unknown extensions installed? Uninstall or delete any unknown ones

https://support.google.com/chrome/answer/187443?hl=en

http://windows.microsoft.com/en-ca/windows7/how-to-manage-add-ons-in-internet-explorer-9

 

[Dante2001]

Have you tried going into Chrome and IE add-on managers to see if you have some unknown extensions installed? Uninstall or delete any unknown ones

https://support.google.com/chrome/answer/187443?hl=en

http://windows.microsoft.com/en-ca/windows7/how-to-manage-add-ons-in-internet-explorer-9

I think I got rid of any suspicious looking extensions a while ago but webalta still appears. What extensions would you class as suspicious?

 

[Fiery]

Any extensions that you don't recognize or don't use.

 

[Dante2001]

Any extensions that you don't recognize or don't use.

All extensions are disabled on both IE and Chrome, I didn't find any that looked suspicious.

 

[Fiery]

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to your desktop</li>

Double click it, and press scan.

It will create a log after, post it in your next reply

 

[Dante2001]

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to your desktop</li>

Double click it, and press scan.

It will create a log after, post it in your next reply

Here are the two logs that appeared after the scan.

 

[Fiery]

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Afterwards, update malwarebytes antimalware and perform a quick scan

 

[Dante2001]

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Afterwards, update malwarebytes antimalware and perform a quick scan

The scan said no cleanup was needed. Here are the two logs.

 

[Fiery]

Please update malwarebytes antimalware and run a Full Scan.

 

[Dante2001]

Please update malwarebytes antimalware and run a Full Scan.

After the full scan it said no malicious items were detected. I attached the log.

 

[Fiery]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:filefind
*Webalta*

:folderfind
*Webalta*

:Regfind
webalta

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Dante2001]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:filefind
*Webalta*

:folderfind
*Webalta*

:Regfind
webalta

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Scan done, I've attached the log as usual.

 

[Fiery]

Hi,

It seems you have downloaded a tool called Webalta removal tool? I don't think that's a legitimate tool.

Open OTL. Under custom scan/fixes, copy and paste the following:

:Files
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (1).TMP-38CF66E6.pf
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (1).TMP-6243DDC9.pf
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (1).TMP-D61252A0.pf
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (2).TMP-EDEDC7A9.pf
C:\Program Files (x86)\Webalta Removal Tool

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Next, Download Kaspersky Virus Removal Tool <a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">from here</a></> <em>(Download Version 11. You'll have to enter your email address and name)</em>
<ol>
<li>Double-click the file and follow the on-screen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Computer</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
</ul>
</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>

 

[Dante2001]

Hi,

It seems you have downloaded a tool called Webalta removal tool? I don't think that's a legitimate tool.

Open OTL. Under custom scan/fixes, copy and paste the following:

:Files
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (1).TMP-38CF66E6.pf
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (1).TMP-6243DDC9.pf
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (1).TMP-D61252A0.pf
C:\Windows\Prefetch\WEBALTAREMOVALTOOL (2).TMP-EDEDC7A9.pf
C:\Program Files (x86)\Webalta Removal Tool

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Next, Download Kaspersky Virus Removal Tool <a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">from here</a></> <em>(Download Version 11. You'll have to enter your email address and name)</em>
<ol>
<li>Double-click the file and follow the on-screen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Computer</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
</ul>
</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>

I've attached the OTL scan log. I'm in the process of the Kaspersky Virus Removal Tool scan at the moment. It hasn't progressed over 50% through the scan despite waiting for ages for it to do so, but it has already discovered one threat, a trojan.