Removing Tuvaro and other unknown malware

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
Needing help removing Tuvaro and identifying other potential malware threats.
 

Attachments

  • FRST.txt
    70.4 KB · Views: 166
  • Addition.txt
    36.7 KB · Views: 285
  • aswMBR.txt
    20.9 KB · Views: 89

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hi,


Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Post logfile will also be saved in the C:\AdwCleaner folder.



***** NEXT *****

Please download zoek.zip or zoek.rar by smeenk (
Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.
  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...
  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

    Code:
    createsrpoint;
    gpt.ini;z 
    C:\Windows\System32\GroupPolicy;v
    C:\Windows\SysWOW64\GroupPolicy;v 
    StandardSearch; 
    emptyfolderscheck; 
    installer-list; 
    installedprogs; 
    uninstall-list;
  • Click on
    Run%20Script%20by%20zoek.png
    button.
    Please wait until a logreport will open (this can be after reboot)
  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"

 

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
I did the first part (the AdwCleaner Part) and after it rebooted. I was no longer able to access the internet on this computer. In running diagnostics to figure out why...I resorted to a system restore. And now I have access again.
I am going to run the AdwCleaner again and see if the problem returns. If it does, I'll let you know from another computer.
 

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
I tried again. Re downloaded AdwCleaner, ran scan, ran clean, and then when it rebooted I was again not able to access internet. So I restored the system again so that computer can be used tomorrow.
I did send the AdwCleaner[SO].txt files from both attempts and they are below. I suspect we're deleting something I need to uncheck before I run this again. But I don't know what it is we're deleting.

Thanks for your help!
 

Attachments

  • AdwCleaner[S0].txt
    8.7 KB · Views: 89
  • AdwCleaner[S0]2nd.txt
    8.2 KB · Views: 103

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Ok, let's try different step :)



Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Open FRST, and click Fix. Attach me that report after it is finished.
 

Attachments

  • fixlist.txt
    9.4 KB · Views: 191

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
Ok, let's try different step :)



Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Open FRST, and click Fix. Attach me that report after it is finished.

Okay done and report attached.
 

Attachments

  • Fixlog.txt
    65.5 KB · Views: 144

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
Thought I should let you know that we've made some progress. I can access google website now. I didn't try logging into gmail since it's still initially launching a Tuvaro homepage and I didn't want to use my password on that computer until I know that's gone...
A bit paranoid now.

Thanks!
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Good, let's make one final scan:



Please download zoek.zip or zoek.rar by smeenk (
Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.
  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...
  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

    Code:
    createsrpoint;
    emptyfolderscheck;delete
    autoclean;
    emptyclsid;
    emptyalltemp;
    ipconfig /flushdns;b
  • Click on
    Run%20Script%20by%20zoek.png
    button.
    Please wait until a logreport will open (this can be after reboot)
  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"
 

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
Good, let's make one final scan:



Please download zoek.zip or zoek.rar by smeenk (
Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.
  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...
  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

    Code:
    createsrpoint;
    emptyfolderscheck;delete
    autoclean;
    emptyclsid;
    emptyalltemp;
    ipconfig /flushdns;b
  • Click on
    Run%20Script%20by%20zoek.png
    button.
    Please wait until a logreport will open (this can be after reboot)
  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"

Well...Tuvaro is still with us after the reboot.
 

Attachments

  • zoek-results.txt
    81.8 KB · Views: 202

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
In which browser do you experience the problem?[/QUO
So the browsers are varying with the user accounts on the computer.
The account listed as Admin will not open any browsers right now.
The account listed as Craig will not open Firefox; Explorer opens with a Tuvaro search; and Chrome opens without a preselected home screen (can go to google on both Explorer and Chrome).
The account listed as Michelle (which is where I had to run the Zoek because that account is apparently the administrator for Norton Utlities on the computer and when I tried to run Zoek on the Admin user account it wasn't working) on this account Firefox loads but with a Tuvaro screen, Explorer loads with a Tuvaro screen, and Chrome loads without a home screen.
 

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
Because the three user profiles on the computer seem to be having different challenges with internet browsers, I opted to run the FRST scan separately under each user profile. Those three scan logs are attached as is the fix log that ran when I first opened FRST (under the user Michelle). Note that now no browser is even making internet access if you're under the the Admin user profile.
 

Attachments

  • FRSTAdmin.txt
    56.6 KB · Views: 76
  • FRSTCraig.txt
    87.2 KB · Views: 106
  • FRSTMichelle.txt
    83 KB · Views: 90
  • Fixlog.txt
    37.4 KB · Views: 238

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
I want to clarify that last sentence. If you're logged on to the computer as the Admin user, none of the browsers (chrome, explorer, firefox) can get access to the internet.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Open FRST, and click Fix. Attach me that report after it is finished.



***** NEXT *****



1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.


--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
 

Attachments

  • fixlist.txt
    1.9 KB · Views: 160

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
So operationally tuvaro no longer comes up if logged in to the computer as "Michelle" which is the user in which I ran the combofix.
The "Admin" user still doesn't connect to the internet on any browser, instead you get a message saying the proxy server has failed to connect. That user can still see and connect to other computers on the home office network.
The "Craig" user still gets Tuvaro as a search engine on both explorer and firefox.
 

Craig W

New Member
Thread author
Verified
Apr 18, 2014
26
Here is the log from running Combofix as the Admin user. That user now has internet connectivity again, though Tuvaro is coming up as the search engine.
 

Attachments

  • ComboFix.txt
    37.9 KB · Views: 91

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top