Help removing Browser Helper Object parasite

[ucozann]

Several problematic toolbars were installed on my computer when I downloaded some free software. I got rid of most of them, but running Hitman shows an item that still is left. The page at

http://www.systemlookup.com/CLSID/75189-kerberos_bho_dll.html

says what I have in my computer is a Browser Helper Object parasite. Would you help me remove it.

In running the scans-and-logs-before-we-start, OLT did not open two notepad windows. OTL.Txt and Extras.Txt. It only opened OTL.Txt and I could not find Extras.Txt to upload. aswmbr.exe took 1 hour to download and about that long to run.

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
I see you have used TDSSkiller before, can you post that log in your next reply? It should be located in the C;\ directory.

Next, Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

 

[ucozann]

I no longer have the TDSSkiller log. I ran AdwCleaner and Junkware Removal Tool and attached the logs. Thank you for letting me know that the first 3 posts of ALL new members require approval by mods/admins.

 

[Fiery]

When you run the hitmanPro scan, does it give you a file directory of the file that is marked as a browser parasite?

 

[ucozann]

The file directory of the file that is marked as a browser parasite is in a S-1-5-21 key under HKEY_USERS called \Software\Microsoft\Internet Explorer\Approved Extensions\

 

[Fiery]

DOes it give the exact value after \Software\Microsoft\Internet Explorer\Approved Extensions\? That is only part of the registry directory.

After the hitmanPro scan, it should produce a log. Please post it in your next reply.

 

[ucozann]

Hi Fiery ,

My original post linked to the value after \Software\Microsoft\Internet Explorer\Approved Extensions\. The value is Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro)

 

[Fiery]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:Regfind
4D2D3B0F-69BE-477A-90F5-FDDB05357975

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[ucozann]

I ran SystemLook and obtained the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 02:48 on 22/08/2013 by user
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== Regfind ==========

Searching for "4D2D3B0F-69BE-477A-90F5-FDDB05357975"
No data found.

-= EOF =-




I found SystemLook_x64 and ran it and obtained the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 02:51 on 22/08/2013 by user
Administrator - Elevation successful

========== Regfind ==========

Searching for "4D2D3B0F-69BE-477A-90F5-FDDB05357975"
No data found.

-= EOF =-


Since the above did not find "4D2D3B0F-69BE-477A-90F5-FDDB05357975", I ran :reg for the HKEY_USERS extension \Software\Microsoft\Internet Explorer\Approved Extensions and found

"{4D2D3B0F-69BE-477A-90F5-FDDB05357975}"=51 66 7a 6c 4c 1d 3b 1b 1f 27 39 5d 8c 3b 16 09 8b f7 b8 9b 04 77 34 6b (REG_BINARY)
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=51 66 7a 6c 4c 1d 3b 1b ab 8b 00 66 c2 84 40 08 ad e9 91 9a f0 9b 60 5d (REG_BINARY)
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=51 66 7a 6c 4c 1d 3b 1b 54 1c dc cb 77 f6 37 0d a7 76 d9 65 c0 87 c5 b7 (REG_BINARY)
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=51 66 7a 6c 4c 1d 3b 1b 94 f0 47 7d 9c 38 eb 09 b5 ec b1 22 8e 43 4c 12 (REG_BINARY)

 

[Fiery]

Does HitmanPro give you the full registry directory in the log?