Redirect Malware - Toolbars hijacked
- Thread starter DinoSport
- Start date
- Status
- Oct 5, 2012
- 2,697
Hi and welcome to the malwaretips.com forums!
I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
<hr />
STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL
<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>
<hr />
I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:
- I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine!
- The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
- If you don't know, stop and ask! Don't keep going on.
- Please reply to this thread. Do not start a new topic.
- Refrain from running self fixes as this will hinder the malware removal process.
- It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
<hr />
STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL
Code:
:OTL
SRV - (DefaultTabUpdate) -- C:\Users\dean.harrison\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe ()
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT3289663&octid=CT3289663&SearchSource=61&CUI=UN28393182172201114&UM=2&UP=SP5A0E4750-256E-40F5-895A-A81BB34FFAC7
IE - HKCU\..\URLSearchHook: {07cbf788-1359-421b-a4e3-5a8d041b90a3} - C:\Program Files (x86)\InternetHelper3.1\prxtbInt0.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {666CFE16-AEDC-43D7-9310-0EEB28014CAA}
IE - HKCU\..\SearchScopes\{666CFE16-AEDC-43D7-9310-0EEB28014CAA}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289663&CUI=UN28393182172201114&UM=2
IE - HKCU\..\SearchScopes\{BA7A8B9E-BAA4-44E8-813F-7F10992DEA6F}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - prefs.js..browser.search.defaultthis.engineName: "InternetHelper3.1 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3289663&CUI=UN39845388688195399&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3289663&SearchSource=2&CUI=UN39845388688195399&UM=2&q="
[2013/06/08 09:11:15 | 000,029,621 | ---- | M] () (No name found) -- C:\Users\dean.harrison\AppData\Roaming\Mozilla\Firefox\Profiles\zzhy5ncz.default\extensions\addon@defaulttab.com.xpi
[2013/06/08 09:09:22 | 000,001,011 | ---- | M] () -- C:\Users\dean.harrison\AppData\Roaming\Mozilla\Firefox\Profiles\zzhy5ncz.default\searchplugins\conduit.xml
[2013/06/08 09:54:30 | 000,001,997 | ---- | M] () -- C:\Users\dean.harrison\AppData\Roaming\Mozilla\Firefox\Profiles\zzhy5ncz.default\searchplugins\search.xml
[2013/06/08 09:11:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2013/06/08 09:11:44 | 000,000,000 | ---D | M] () -- C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com
[2013/05/25 08:14:17 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
O2 - BHO: (InternetHelper3.1 Toolbar) - {07cbf788-1359-421b-a4e3-5a8d041b90a3} - C:\Program Files (x86)\InternetHelper3.1\prxtbInt0.dll (Conduit Ltd.)
O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\dean.harrison\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (InternetHelper3.1 Toolbar) - {07cbf788-1359-421b-a4e3-5a8d041b90a3} - C:\Program Files (x86)\InternetHelper3.1\prxtbInt0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (InternetHelper3.1 Toolbar) - {07CBF788-1359-421B-A4E3-5A8D041B90A3} - C:\Program Files (x86)\InternetHelper3.1\prxtbInt0.dll (Conduit Ltd.)
O4 - HKLM..\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe (Conduit)
O4 - HKCU..\Run: [SearchProtect] C:\Users\dean.harrison\AppData\Roaming\SearchProtect\bin\cltmng.exe (Conduit)
O4 - HKCU..\RunOnce: [Uninstall C:\Users\dean.harrison\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\dean.harrison\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314" File not found
O4 - HKCU..\RunOnce: [Uninstall C:\Users\dean.harrison\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\dean.harrison\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314\amd64" File not found
[2013/06/08 09:13:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyPC Backup
[2013/06/08 09:11:16 | 000,000,000 | ---D | C] -- C:\Users\dean.harrison\AppData\Roaming\DefaultTab
[2013/06/08 09:10:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
[2013/06/08 09:10:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\InternetHelper3.1
[2013/06/08 09:10:23 | 000,000,000 | ---D | C] -- C:\Users\dean.harrison\AppData\Local\Conduit
[2013/06/08 09:09:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SearchProtect
[2013/06/08 09:09:22 | 000,000,000 | ---D | C] -- C:\Users\dean.harrison\AppData\Roaming\SearchProtect
[2013/06/08 09:11:16 | 000,000,000 | ---D | M] -- C:\Users\dean.harrison\AppData\Roaming\DefaultTab
[2013/06/08 09:14:46 | 000,000,000 | ---D | M] -- C:\Users\dean.harrison\AppData\Roaming\SearchProtect
:commands
[emptytemp]
[reboot]<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>
<hr />
Last edited by a moderator:
- Jun 8, 2013
- 17
Kuttus,
Thank you for your assistance...big time. I think I followed your instructions correctly. Below is the OTL log.
I got back to this webpage without a redirect. My IE browser opened to Bing and an ad immediately popped; I'll change my default homepage to try to avoid that infectious annoyance. Another ad popped-up (with sound!) while I was typing this message to you; this is the only browser and page I had open.
I also see your Security Configuration and Avoid Malware footnote. I'll get into all that advice later today to see if I can prevent the ads--they make me crazy. Thank you again - I look forward to your response.
========== OTL ==========
Service DefaultTabUpdate stopped successfully!
Service DefaultTabUpdate deleted successfully!
C:\Users\dean.harrison\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe moved successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{07cbf788-1359-421b-a4e3-5a8d041b90a3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07cbf788-1359-421b-a4e3-5a8d041b90a3}\ deleted successfully.
C:\Program Files (x86)\InternetHelper3.1\prxtbInt0.dll moved successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{666CFE16-AEDC-43D7-9310-0EEB28014CAA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{666CFE16-AEDC-43D7-9310-0EEB28014CAA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BA7A8B9E-BAA4-44E8-813F-7F10992DEA6F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA7A8B9E-BAA4-44E8-813F-7F10992DEA6F}\ not found.
OTL by OldTimer - Version 3.2.69.0 log created on 06092013_090434
Thank you for your assistance...big time. I think I followed your instructions correctly. Below is the OTL log.
I got back to this webpage without a redirect. My IE browser opened to Bing and an ad immediately popped; I'll change my default homepage to try to avoid that infectious annoyance. Another ad popped-up (with sound!) while I was typing this message to you; this is the only browser and page I had open.
I also see your Security Configuration and Avoid Malware footnote. I'll get into all that advice later today to see if I can prevent the ads--they make me crazy. Thank you again - I look forward to your response.
========== OTL ==========
Service DefaultTabUpdate stopped successfully!
Service DefaultTabUpdate deleted successfully!
C:\Users\dean.harrison\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe moved successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{07cbf788-1359-421b-a4e3-5a8d041b90a3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07cbf788-1359-421b-a4e3-5a8d041b90a3}\ deleted successfully.
C:\Program Files (x86)\InternetHelper3.1\prxtbInt0.dll moved successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{666CFE16-AEDC-43D7-9310-0EEB28014CAA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{666CFE16-AEDC-43D7-9310-0EEB28014CAA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BA7A8B9E-BAA4-44E8-813F-7F10992DEA6F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA7A8B9E-BAA4-44E8-813F-7F10992DEA6F}\ not found.
OTL by OldTimer - Version 3.2.69.0 log created on 06092013_090434
- Jun 8, 2013
- 17
Well, I'm still having problems. When I clicked your link to the Security Configuration Wizard Forum I was redirected to a page built to look like google, but with a period (.) after the "o" and no "e" on the end. I can give you the URL, if it matters. I've also been redirected to Yellow Pages and other sites. Print Screen didn't work...and I got a "IE is not responding" error message. It tells me IE will close, but it doesn't. Any further help will be greatly appreciated. Thank you.
- Oct 5, 2012
- 2,697
Okay... Please try the following fixes..
STEP 1: Run a scan with AdwCleaner
<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>
<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
STEP 2: Run a scan with Junkware Removal Tool
Please download Junkware Removal Tool to your desktop from here
STEP 3 : Run a scan with Kaspersky TDSSKiller
<ol>
<li>Download Kaspersky TDSKiller from the below link.
<><a title="External link" href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" rel="external">KASPERKSY TDSSKILLER DOWNLOAD LINK</a></> <em>(This link will automatically download Kaspersky TDSSKiller on your computer)</em>
</li>
<li>Double-click on <>TDSSKiller.exe</> to run the application.
<img src="http://img4.imageshack.us/img4/1907/tdss1.png" alt="Posted Image" /></li>
<li>Click <>Change parameters</>
<img src="http://img593.imageshack.us/img593/288/tdss2.png" alt="Posted Image" /></li>
<li>Check the boxes next to <>Verify Driver Digital Signature</> and <>Detect TDLFS file system</>, then click <>OK</>
<img src="http://img521.imageshack.us/img521/1456/tdss3.png" alt="Posted Image" /></li>
<li>Click on the <>Start Scan</> button to begin the scan and wait for it to finish.
<>NOTE:</> Do not use the computer during the scan!</li>
<li>During the scan it will look similar to the image below:
<img src="http://img6.imageshack.us/img6/9136/tdss4.jpg" alt="Posted Image" /></li>
<li>When it finishes, you will either see a report that no threats were found like below:
<img src="http://img696.imageshack.us/img696/9898/tdss5.jpg" alt="Posted Image" />
If no threats are found at this point, just click the <>Report</> selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.</li>
<li>If any infection or suspected items are found, you will see a window similar to below:
<img src="http://img854.imageshack.us/img854/905/tdss7.jpg" alt="Posted Image" />
<ul>
<li>If you have files that are shown to fail <em>signature check</em> do not take any action on these. Make sure you select <>Skip</>. I will tell you what to do with these later. They may not be issues at all.</li>
<li>If <em>Suspicious objects</em> are detected, the default action will be Skip. Leave the default set to Skip.</li>
<li>If <em>Malicious objects</em> are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that <>Cure</> is selected. <>VERY IMPORTANT!</> - If <em>Cure</em> is not available, please choose <>Skip</> instead. DO NOT choose Delete unless instructed to do so.</li>
</ul>
</li>
<li>Click <>Continue</> to apply selected actions.</li>
<li>A reboot may be required to complete disinfection. A window like the below will appear:
<img src="http://img828.imageshack.us/img828/4812/tdss6.jpg" alt="Posted Image" />
Reboot immediately if TDSSKiller states that one is needed.</li>
<li>Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like <>TDSSKiller.2.1.1_2.12.2012_14.17.04_log.txt</> which is based on the program version # and date and time run.</li>
<li>Attach this log to your next reply.</li>
</ol>
<hr />
STEP 1: Run a scan with AdwCleaner
<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>
<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
STEP 2: Run a scan with Junkware Removal Tool
Please download Junkware Removal Tool to your desktop from here
- Turn off your antivirus software now to avoid potential conflicts
- Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
- The tool will open and start scanning your system
- Please be patient as this can take a while to complete depending on your system's specifications
- On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
- Post the contents of JRT.txt into your next reply
STEP 3 : Run a scan with Kaspersky TDSSKiller
<ol>
<li>Download Kaspersky TDSKiller from the below link.
<><a title="External link" href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" rel="external">KASPERKSY TDSSKILLER DOWNLOAD LINK</a></> <em>(This link will automatically download Kaspersky TDSSKiller on your computer)</em>
</li>
<li>Double-click on <>TDSSKiller.exe</> to run the application.
<img src="http://img4.imageshack.us/img4/1907/tdss1.png" alt="Posted Image" /></li>
<li>Click <>Change parameters</>
<img src="http://img593.imageshack.us/img593/288/tdss2.png" alt="Posted Image" /></li>
<li>Check the boxes next to <>Verify Driver Digital Signature</> and <>Detect TDLFS file system</>, then click <>OK</>
<img src="http://img521.imageshack.us/img521/1456/tdss3.png" alt="Posted Image" /></li>
<li>Click on the <>Start Scan</> button to begin the scan and wait for it to finish.
<>NOTE:</> Do not use the computer during the scan!</li>
<li>During the scan it will look similar to the image below:
<img src="http://img6.imageshack.us/img6/9136/tdss4.jpg" alt="Posted Image" /></li>
<li>When it finishes, you will either see a report that no threats were found like below:
<img src="http://img696.imageshack.us/img696/9898/tdss5.jpg" alt="Posted Image" />
If no threats are found at this point, just click the <>Report</> selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.</li>
<li>If any infection or suspected items are found, you will see a window similar to below:
<img src="http://img854.imageshack.us/img854/905/tdss7.jpg" alt="Posted Image" />
<ul>
<li>If you have files that are shown to fail <em>signature check</em> do not take any action on these. Make sure you select <>Skip</>. I will tell you what to do with these later. They may not be issues at all.</li>
<li>If <em>Suspicious objects</em> are detected, the default action will be Skip. Leave the default set to Skip.</li>
<li>If <em>Malicious objects</em> are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that <>Cure</> is selected. <>VERY IMPORTANT!</> - If <em>Cure</em> is not available, please choose <>Skip</> instead. DO NOT choose Delete unless instructed to do so.</li>
</ul>
</li>
<li>Click <>Continue</> to apply selected actions.</li>
<li>A reboot may be required to complete disinfection. A window like the below will appear:
<img src="http://img828.imageshack.us/img828/4812/tdss6.jpg" alt="Posted Image" />
Reboot immediately if TDSSKiller states that one is needed.</li>
<li>Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like <>TDSSKiller.2.1.1_2.12.2012_14.17.04_log.txt</> which is based on the program version # and date and time run.</li>
<li>Attach this log to your next reply.</li>
</ol>
<hr />
Last edited by a moderator:
- Oct 5, 2012
- 2,697
Download Malwarebytes Anti-Rootkit from here to your Desktop
Please download Malwarebytes' Anti-Malware to your desktop.
STEP 2: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
- Unzip the contents to a folder on your Desktop.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
- After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
- When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
- then click Finish.
- If an update is found, it will download and install the latest version.
- When it prompts you to try their 30-day trail, click decline
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
STEP 2: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
Last edited by a moderator:
- Jun 8, 2013
- 17
kuttus,
The results of the first two scans returned "no malware" results. The text files are attached. The HitManPro scan deleted one item. For some reason, this website wouldn't let me attach the HitMan .txt file, so the results are pasted below.
I did mess up one thing--didn't follow your instructions correctly because I had IE closed and confused the MBAM instruction with the HitMan instruction... I didn't decline the 30-day trial for Malwarebytes Anti-Malware. So, I now have the 30-day trial version of each program running. Is this a problem?
Thanks, once again, for your help. You rock!
- - - - - - - -
The results of the first two scans returned "no malware" results. The text files are attached. The HitManPro scan deleted one item. For some reason, this website wouldn't let me attach the HitMan .txt file, so the results are pasted below.
I did mess up one thing--didn't follow your instructions correctly because I had IE closed and confused the MBAM instruction with the HitMan instruction... I didn't decline the 30-day trial for Malwarebytes Anti-Malware. So, I now have the 30-day trial version of each program running. Is this a problem?
Thanks, once again, for your help. You rock!
- - - - - - - -
Code:
HitmanPro 3.7.6.201
www.hitmanpro.com
Computer name . . . . : DEANLAPTOP
Windows . . . . . . . : 6.2.0.9200.X64/4
User name . . . . . . : Deanlaptop\dean.harrison
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (31 days left)
Scan date . . . . . . : 2013-06-16 21:46:22
Scan mode . . . . . . : Normal
Scan duration . . . . : 3m 24s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : Yes
Threats . . . . . . . : 14
Traces . . . . . . . : 104
Objects scanned . . . : 1,249,453
Files scanned . . . . : 28,615
Remnants scanned . . : 288,740 files / 932,098 keys
Malware _______________________________________________________
C:\Program Files (x86)\LessTabs\IE32\LessTabsClientIE.dll -> Deleted
Size . . . . . . . : 143,896 bytes
Age . . . . . . . : 8.5 days (2013-06-08 09:11:44)
Entropy . . . . . : 6.2
SHA-256 . . . . . : 0ACC836A1A055BFB9260BF6ADE393AC8E9790AB6DE1D38A35C5E7AC65408B0F9
Product . . . . . : LessTabs
Publisher . . . . : LessTabs
Description . . . : LessTabs IE Client
Version . . . . . : 1.7.1.0
Copyright . . . . : 2013 LessTabs
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> G Data . . . . . . : Adware.Lesstabs.A
> Ikarus . . . . . . : AdWare.Lesstabs!IK
Fuzzy . . . . . . : 88.0
Startup
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3178A392-8963-471E-B7A2-969CB58D6496}\
References
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3178A392-8963-471E-B7A2-969CB58D6496}\
HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{8A2BBD3A-2130-4882-B198-863271F320DE}\
HKU\S-1-5-21-73945207-3909077387-3593498368-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3178A392-8963-471E-B7A2-969CB58D6496}\
Forensic Cluster
-1.8s C:\Users\dean.harrison\AppData\Roaming\Mozilla\Firefox\Profiles\zzhy5ncz.default\bookmarkbackups\bookmarks-2013-06-08.json
-0.7s C:\Program Files (x86)\LessTabs\
-0.7s C:\Program Files (x86)\LessTabs\terms-of-service.rtf
-0.7s C:\Program Files (x86)\LessTabs\3rd Party Licenses\
-0.7s C:\Program Files (x86)\LessTabs\3rd Party Licenses\buildcrx-license.txt
-0.7s C:\Program Files (x86)\LessTabs\3rd Party Licenses\Info-ZIP-license.txt
-0.7s C:\Program Files (x86)\LessTabs\3rd Party Licenses\nsJSON-license.txt
-0.7s C:\Program Files (x86)\LessTabs\3rd Party Licenses\UAC-license.txt
-0.6s C:\Program Files (x86)\LessTabs\Uninstall.exe
0.0s C:\Program Files (x86)\LessTabs\IE32\
0.0s C:\Program Files (x86)\LessTabs\IE32\LessTabsClientIE.dll
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\browser.js
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\browser.xul
0.4s C:\Program Files (x86)\Mozilla Firefox\vitruvian-autoenable.cfg
0.4s C:\Program Files (x86)\Mozilla Firefox\defaults\preferences\
0.4s C:\Program Files (x86)\Mozilla Firefox\defaults\preferences\!vitruvian-autoenable.js
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\chrome.manifest
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\icon-48.png
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\icon-64.png
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\install.rdf
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\vitruvian.bootstrap.js
0.4s C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com\vitruvian.plugin-api.js
0.4s C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences\
0.4s C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences\!vitruvian-autoenable.js
0.4s C:\Program Files (x86)\Mozilla Firefox\browser\defaults\
0.4s C:\Program Files (x86)\Mozilla Firefox\defaults\preferences\!vitruvian-csp.js
0.4s C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences\!vitruvian-csp.js
0.4s C:\Program Files (x86)\LessTabs\FireFox\
0.5s C:\Program Files (x86)\LessTabs\FireFox\lesstabs@lesstabs.com.xpi
Suspicious files ____________________________________________________________
C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 951,497 bytes
Age . . . . . . . : 20.0 days (2013-05-27 21:14:37)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 43358BBCEC1EBE7927CA3B0A3DCA0597D5E8584F0FCBE987B8126A0C12D73A2B
Fuzzy . . . . . . : 30.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
Forensic Cluster
-0.0s C:\Program Files (x86)\Origin Games\Battlefield 3\pb\pbcl.db
-0.0s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\
-0.0s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\
-0.0s C:\Users\dean.harrison\AppData\Local\PunkBuster\
-0.0s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\pbcl.db
0.0s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
0.2s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\pbag.dll
0.2s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\scrnshot\
0.2s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\dll\
0.2s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\htm\
8.0s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\PnkBstrB.exe
11.7s C:\Windows\SysWOW64\PnkBstrB.xtr
C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
Size . . . . . . . : 140,072 bytes
Age . . . . . . . : 20.0 days (2013-05-27 21:15:07)
Entropy . . . . . : 7.7
SHA-256 . . . . . : CC3F4E453FC246B64C09E81BB73741CECC897C805C13815336647E986A60301E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 23.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.
Forensic Cluster
-1.0s C:\Users\dean.harrison\Documents\Battlefield 3\settings\
-1.0s C:\Users\dean.harrison\Documents\Battlefield 3\settings\meta.xml
0.0s C:\Users\dean.harrison\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
2.6s C:\Users\dean.harrison\Documents\Battlefield 3\settings\PROF_SAVE_header
2.6s C:\Users\dean.harrison\Documents\Battlefield 3\settings\PROF_SAVE_body
2.6s C:\Users\dean.harrison\Documents\Battlefield 3\settings\PROF_SAVE_profile
Potential Unwanted Programs _________________________________________________
HKU\S-1-5-21-73945207-3909077387-3593498368-1001_Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo)- Oct 5, 2012
- 2,697
It's my pleasure to help you with......
Please run the following utility so that I can get a log of your system...
STEP 1 : Run a scan with Combofix
Download ComboFix from one of the following locations:
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------
How to run the Combofix scan :
Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>
<hr />
Please run the following utility so that I can get a log of your system...
STEP 1 : Run a scan with Combofix
Please read and follow very carefully the below instructions
Download ComboFix from one of the following locations:
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------
How to run the Combofix scan :
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>
<hr />
Last edited by a moderator:
- Oct 5, 2012
- 2,697
Your all log files seems fine only..
Double click on OTL to run it
Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.
For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one
For Vista
Create a restore point
Delete all but the most recent restore point
For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link
Keep your system updated
I also recommend you to switch your antivirus program to a better one. Here are some suggestions:
In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.
Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.
Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.
Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.
Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.
Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask
<hr />
What's next?
My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
Double click on OTL to run it
- Click on the Cleanup button at the top.
- You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
- This will remove itself and other tools we may have used.
Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.
For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one
For Vista
Create a restore point
Delete all but the most recent restore point
For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link
Keep your system updated
- Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
- Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
- Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here
I also recommend you to switch your antivirus program to a better one. Here are some suggestions:
- avast! 7 Home Edition - Don't use it with Online Armor
- Avira AntiVir Personal
- Microsoft Security Essentials
In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.
- Online Armor
- Comodo Firewall - If you are an advance user
Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.
Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.
Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
- KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
- AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
- NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
- Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites
Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.
Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.
Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask
<hr />
What's next?
- Bulild up your malware defenses by starting a new thread in Security Configuration Wizard forum.
- Learn how to avoid malware by reading this article <a href="http://malwaretips.com/blogs/how-to-easily-avoid-pc-infections/">How to easily avoid malware</a>
- Be an active member in the MalwareTips community!
My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
- Oct 5, 2012
- 2,697
Thank you.
<span style="color: #ff0000;"><>The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. </></span>
<span style="color: #ff0000;"><>DO NOT use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.</></span>
All members requesting Malware Removal Assistance are required to follow all procedures in the thread
My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
This thread is now closed.
Reason: <span style="color: #ff0000;">Issue Resolved</span>
<span style="color: #ff0000;"><>The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. </></span>
<span style="color: #ff0000;"><>DO NOT use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.</></span>
All members requesting Malware Removal Assistance are required to follow all procedures in the thread
My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
Last edited by a moderator:
- Status
Similar threads
