HitmanPro 3.7.9 - Build 216 (64-bit) Your license for HitmanPro has expired

[KRMorgan]

I have attached all of the various logs required to create this post, in addition to those completed for Steps 1 through 4 of Remove Search Protect by Client Connect LTD. Your instructions and download links for tools on page .... Only contained Steps 1 and 2 of Fabar Recovery Scan Tool, so I Googled search " aswMBR scan log and downloaded from CNET http://download.cnet.com/aswMBR/3000-8022_4-75911665.html to create and attach the QuickScan log (I presumed since no instructions in updating the database directory was first step, then just using the AV scan default).

Attached Files:
AdwCleaner[SO].txt
FRST.txt
Addition.txt
aswMBR.txt
mbam-log-2014-06-06 (12-06-14).txt
HitmanPro_20140607_0857.log

 

[TwinHeadedEagle]

Is this PC used for business or it is private?

 

[KRMorgan]

It is my personal asset and not used for business purposes as I am unemployed. Thanks for your assistance.

 

[TwinHeadedEagle]

Then shortly, what is your problem?

 

[KRMorgan]

Remove Search Protect by Client Connect LTD (Removal Guide) completed Step 4 per Stelian Pilici, prevented from completing Step 5 of
http://malwaretips.com/blogs/search-protect-client-connect-ltd-removal/

Error: "HitmanPro 3.7.9 - Build 216 (64-bit) Your license for HitmanPro has expired".
Analysis: Examine contents of HitmanPro_20140607_0857.log

Since a picture is a thousand words, I have uploaded "6-7-2014 2-22-25 AM HitmanPro 3.7.9 - Build 216 Scan results.jpg" and "6-7-2014 8-55-23 AM Your license for HitmanPro has expired.jpg" as a visual aid for you to see there are still malware remnants that must be removed by HitmanPro but can't because of this license issue. I am not qualified to manually remove these 6 files consisting of Trovigo, Claro, FLV Player as they are embedded into the preferences and registries by Search Protect by Client Connect LTD. It would be more effective, efficient and less prone to harmful OS risk in doing so using malware removal tool.

Please advise or have Stelian Pilici advise on next steps as follow-up to his above blog link as he had cordially invited people "If you are still experiencing problems while trying to remove Search Protect by Client Connect Ltd hijacker from your machine, please start a new thread in our Malware Removal Assistanceforum."

I have done so and that is pretty much about as I can trouble shoot without received further instructions from Stelian. If I have to wait to next week to hear back from him, I am sure my computer has been disinfected to the point where a rogue root trojan virus propagated by Client Connect is unlikely to happen since steps 1 -4 were done. However, it looks as if according to the attached logs there may have been some other programs also affected such as C++ and therefore it's functionality may be impaired.

Suspicious files ____________________________________________________________

C:\Users\Kevin Morgan\Google Drive\My Briefcase\Purchases\Hewlett Packard\hpdeskjet 5650\0900a5a2802e946d\5600\program files\Hewlett-Packard\hp deskjet assistant\bin\hpvcrt.dll
Size . . . . . . . : 295,000 bytes
Age . . . . . . . : 307.0 days (2013-08-04 02:32:35)
Entropy . . . . . : 6.3
SHA-256 . . . . . : 748337100E34FC13222785FCE37C4C3E39FFFEB1130A7D5491188152387E5153
Product . . . . . : Microsoft (R) Visual C++
Publisher . . . . : Microsoft Corporation
Description . . . : Microsoft (R) C Runtime Library
Version . . . . . : 6.10.8637.0
Copyright . . . . : Copyright (C) Microsoft Corp. 1981-1999
RSA Key Size . . . : 512
Authenticode . . . : Invalid
Fuzzy . . . . . . : 41.0
Program is code signed with a weak certificate. This is common to malware.
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.

C:\Windows\system32\drivers\kl1.sys
Size . . . . . . . : 7,717,984 bytes
Age . . . . . . . : 107.6 days (2014-02-19 11:13:22)
Entropy . . . . . : 0.6
SHA-256 . . . . . : 025F7E1E979DC8C4794FC7D3581D6BCF6E0F6DC327C6FCB925B6A8EDBE999A68
Product . . . . . : Kaspersky Anti-Virus
Publisher . . . . : Kaspersky Lab ZAO
Description . . . : Kaspersky Unified Driver
Version . . . . . : 6.8.0.26
Copyright . . . . : © 2013 Kaspersky Lab ZAO. All Rights Reserved.
Fuzzy . . . . . . : 42.0
The file is hidden from Windows API. This is typical for malware.
The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.

C:\Windows\system32\drivers\klif.sys
Size . . . . . . . : 489,568 bytes
Age . . . . . . . : 107.6 days (2014-02-19 11:13:21)
Entropy . . . . . : 6.5
SHA-256 . . . . . : E1323898883DD83C1F209460BB9781A4AE023DB2CA4B44A0C19B1E6F4ABDCD87
Product . . . . . : Kaspersky™ Anti-Virus ®
Publisher . . . . : Kaspersky Lab ZAO
Description . . . : Klif Mini-Filter [fre_wlh_x64_sdk]
Version . . . . . : 8.11.0.703
Copyright . . . . : Copyright © Kaspersky Lab ZAO 1996-2013.
Fuzzy . . . . . . : 42.0
The file is hidden from Windows API. This is typical for malware.
The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
The file is a device driver. Device drivers run as trusted (highly privileged) code.


Potential Unwanted Programs _________________________________________________

homepage
C:\Users\Kevin Morgan\AppData\Local\Google\Chrome\User Data\Default\Preferences

HKLM\SOFTWARE\Classes\c\ (Claro)
HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
HKU\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
HKU\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)


Thank you Clint Eastwood TwinHeadedEagle!

Kevin Morgan

 

[TwinHeadedEagle]

Please do not attach anything about Hitman Pro anymore. This software is stupid and not able to remove majority of adware...

I asked you what is your current situation?

 

[KRMorgan]

OK, but I feel as if you have totally discredited the credibility now of Stelian Pilici as his intentions seemed legit. Being that you appear to be a moderator of this site, hopefully your feedback can be provided back to the source of the malware removal instructions. My current situation is stable! I guess I can read between the lines that HitmanPro is just creating "false positive" concerns that will not manifest themselves back to life. When I reviewed AdwCleaner and Malwarebytes logs, it looks as if those programs removed Conduit and anything else of concern. I have to say AdwCleaner was very aggressive in deleting all of my web browser extensions. So it was a lot of housecleaning work to put everything back in place to customizing my browsers add ons but at least I can rest assured of no functional or performance issues. Thank you for your time!

 

[TwinHeadedEagle]

OK, but I feel as if you have totally discredited the credibility now of Stelian Pilici as his intentions seemed legit. Being that you appear to be a moderator of this site, hopefully your feedback can be provided back to the source of the malware removal instructions.

Nope, we just have different methods and thoughts. I am using tools made specially for malware removal experts, and Stelian is giving what he thinks it is good. But you need to know that a lot of people come here to ask for help even if they already run Hitman Pro. I would never give user Hitman Pro, because he can run it himself. Tools I use are much more powerful and not intended to be used without supervisor.

I have to say AdwCleaner was very aggressive in deleting all of my web browser extensions.

Adwcleaner will only delete bad extensions, not good ones.



For future protection I can recommend you:
- Adblock --> https://adblockplus.org/en/chrome
- Unchecky --> http://unchecky.com/



• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

 

[KRMorgan]

Thanks for Adblock as I have ensured all of my browsers Chrome, FF, IE, Safari have this extension as well as all others for consistency across all of them. I like the Unchecky program because I dislike even Oracle Java as well as other software providers constantly trying to slip in 3rd party Adware (it irks be a Fortune 100 company performing this practice). I have attached DelFix.txt logs as everything should be good to go!