V9 portal hijacker

J

japchinlvr

New Member
Thread author
Apr 16, 2013
7
0
3
65
I;m sorry I cant do this otl asw stuff. im afraid to infect my little netbook which i need. im not a computer pro.

First - thank you so much for the instructions to remove money pak - worked like a charm. But this week I got this darn V9 and nothng seems to work. I followed your steps:

step 1- no new tab or elex programs to uninstall

step 2- no proxy add ons to delete. removed V9 search provider. made bling default. internet options general V9 has replaced the ie default home page tabe and won't be deleted

step 3 - deleted V9 from the Target

step 4 - ran adwcleaner and several v9 items were removed according to the log

step 5 - ran malwarebytes nothing found

step 6 - ran hitman pro found netwrapper.dll - quarantined

started IE - still V9, even though the default is google
went to IE properties, target has V9 again. I deleted it again. Started IE still have V9.

Help - I don't know what else to do. I have windows 7 and IE10.

Thank you
 
Hi and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
OTL is 100% virus-free. It will not infect your PC. It is a diagnostic tool for us helpers to see what is wrong with your PC. To validate the tool, here is a tutorial about the tool and what it does: http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/

Download OTL by Old Timer from here and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please attach the contents of these 2 Notepad files in your next reply.

If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
 
Hello - Just FYI - last thing before I went to bed last night I did IE internet options "restore advanced options". Now I do not see the V9 tab or in the "Target". But I'm concerned it's still here somewhere.

OTL files attached....

THX!
 

Attachments

Hi there,

There seems to be a suspicious file & folder on the system called Magnipic. It is an adware.

The program loads itself into the AppInit_DLLs where files under that setting will load very early on your system. Usually, rootkits use this technique to mask other malware on the system. I see you have it as an extension on chrome too, I would advise you to remove it.

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O20 - AppInit_DLLs: (c:\progra~2\magnipic\sprote~1.dll) - File not found
CHR - Extension: MagniPic = C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\leimedjljnbdkhjglollaialjcngkfdb\1\
CHR - Extension: MagniPic = C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\fejhacogechociploajgdedklpanhegc\1\

:Files
c:\progra~2\magnipic
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
Click to expand...

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Next, Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 
Hello - ran OTL and mbar twice. Nothing found on the second mbar. Logs attached.

Do I have to do something with Chrome? I have never used it so I don't know where things are.

OTL log:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~2\magnipic\sprote~1.dll deleted successfully.
C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\leimedjljnbdkhjglollaialjcngkfdb\1 folder moved successfully.
C:\Users\Laura\AppData\Local\Google\Chrome\User Data\Default\Extensions\fejhacogechociploajgdedklpanhegc\1 folder moved successfully.
File PTYTEMP] not found.
File SETHOSTS] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 04182013_200700

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

Attachments

Ok.

Update Malwarebytes Anti-malware and do a Quick Scan.

Then Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
 
Hello - I ran malwarebytes - nothing found.

I ran the NOD32 antivirus 6. I did not see the settings you specified so I ran the "smart scan". 37 items cleaned. I couldn't attach the log - it was 179 pages long in a txt file. I don't have winzip at home.

OMG - will my computer ever be safe? Seems unending.

THX! for all your help.
 
179 pages? :s That is unusual..

Download Kaspersky Virus Removal Tool <a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">from here</a></> <em>(Download Version 11. You'll have to enter your email address and name)</em>
<ol>
<li>Double-click the file and follow the on-screen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Computer</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
</ul>
</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
 
Last edited by a moderator:
Hello - I think it's OK. I haven't seen any sign of the V9 Portal. You're awesome!

You guys have a donation page anywhere?

Many Thanks!
 
You`re welcome! And yes, mine is here:

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.


If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

If you have any other questions or concerns, feel free to ask :)
 

You may also like...