iSearch.Claro-Search malware

I've been lurking and someone over from Reddit sent me to this website. I've followed the directions from [1] http://forums.majorgeeks.com/showthread.php?t=265220 and it looked like the virus was gone for a while but now whenever I open a new Firefox window, it directs me to iSearch-Claro again. Every tab I Open is Claro. this is very annoying and I really need help. Thanks!

 

Bump for the sake of how annoying this malware is...:cry

 

Can you run the following batch file that is attached to this post?

Let me know if it helped or not.

 

Um... yeah. I'm so sorry. I have no idea what to do with the .zip file you just attached. I am seriously not computer savvy. Sorry. What should I do with it?

 

No problem.

The .zip file I attached is an archive which contains a batch file called: firefox.bat. I would have just attached the .bat file to make it easier but attaching certain files, like .bat, is not allowed on the forums.

Here is a guide on how to extract files from .zip: http://www.computerhope.com/issues/ch000506.htm

Once you have firefox.bat on your desktop, run it by double-clicking it. ( If using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrator. )

 

Ok. I extracted the .zip file to my Desktop. There is an icon there with cogwheels and stuff. I right-clicked and ran as Admin. It closed my current Firefox session, I opened Firefox again with new session. Homepage was Claro-Search...yet again. :cry:cry:cry:cry

 

Go here: https://addons.mozilla.org/en-US/firefox/addon/searchreset/

Click the + Add to Firefox button.
Press Allow.

 

If the above does not work

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

* Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
​

 

Ok.. here we go. I hope. That was a lot to do right then. But I am so thankful for your help right now.

 

Yes I know it is a lot of work to do.

Download adware cleaner to your desktop.
Open it and press Delete.
Attach the generated log and test if the problem still exists.

 

Changed Homepage on Firefox to default, closed Firefox and restored sessions, Claro is STILL homepage. Wtf.

Here's the AdwareCleaner log.

I'm so sorry.

 

What do you mean when you say this? Do not "Restore Session" as this will always bring you back to the page you were previously viewing.

Please close FireFox properly, and then open FireFox and choose the option that is NOT "Restore Session", I think the correct choice is "Go to HomePage".

If you have questions let me know. Don't worry about apologizing I'm here to help

If you are still having issues:

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Ok, sorry for the confusion. Opening a brand new Firefox after properly closing it is what I meant.

Problems are still arising. Here's the OTL log.

EDIT: There was an Extras.txt log. I'll attach it.

 

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{62A95860-F05D-4F3A-98FE-DB7AB361FBBA}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\..\SearchScopes\{62A95860-F05D-4F3A-98FE-DB7AB361FBBA}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-1553210162-1582565319-2532465683-1000\..\URLSearchHook: {687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found
IE - HKU\S-1-5-21-1553210162-1582565319-2532465683-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found
IE - HKU\S-1-5-21-1553210162-1582565319-2532465683-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-1553210162-1582565319-2532465683-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://isearch.claro-search.com/?q={searchTerms}&affID=115131&tt=120812_bandext_3312_8&babsrc=SP_iclro&mntrId=e8cf4a6a000000000000062100e11362
IE - HKU\S-1-5-21-1553210162-1582565319-2532465683-1000\..\SearchScopes\{62A95860-F05D-4F3A-98FE-DB7AB361FBBA}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
FF - prefs.js..browser.search.defaultenginename: "Claro Search"
FF - prefs.js..browser.search.order.1: "Claro Search"
FF - prefs.js..browser.search.selectedEngine: "Claro Search"
FF - prefs.js..browser.startup.homepage: "http://isearch.claro-search.com/?affID=115131&tt=120812_bandext_3312_8&babsrc=HP_iclro&mntrId=e8cf4a6a000000000000062100e11362"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: wtxpcom@mybrowserbar.com:4.1
FF - prefs.js..extensions.enabledItems: youtubedownloader@mybrowserbar.com:4.1
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.2.5.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..searchreset.backup.browser.search.defaultenginename: "Claro Search"
FF - prefs.js..browser.startup.homepage: "http://isearch.claro-search.com/?affID=115131&tt=120812_bandext_3312_8&babsrc=HP_iclro&mntrId=e8cf4a6a000000000000062100e11362"
[2012/05/08 11:24:48 | 000,401,328 | ---- | M] () (No name found) -- C:\Users\Sean and Luann\AppData\Roaming\Mozilla\Firefox\Profiles\rtdkppf8.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
[2012/09/09 01:32:14 | 000,001,649 | ---- | M] () (No name found) -- C:\Users\Sean and Luann\AppData\Roaming\Mozilla\Firefox\Profiles\rtdkppf8.default\extensions\searchreset@gavinsharp.com.xpi
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1553210162-1582565319-2532465683-1000\..\Toolbar\WebBrowser: (no name) - {687578B9-7132-4A7A-80E4-30EE31099E03} - No CLSID value found.
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/04/19 02:32:47 | 000,012,148 | -HS- | C] () -- C:\Users\Sean and Luann\AppData\Local\s121uq0at7k5v60wwl08sp5t287if7yru6nw52
[2011/04/19 02:32:47 | 000,012,148 | -HS- | C] () -- C:\ProgramData\s121uq0at7k5v60wwl08sp5t287if7yru6nw52
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:0B4227B4
@Alternate Data Stream - 112 bytes -> C:\ProgramData\Temp:D1B5B4F1
[COLOR="DarkRed"]:files[/COLOR]
C:\Users\Sean and Luann\AppData\Roaming\Microsoft\Windows\Templates\s121uq0at7k5v60wwl08sp5t287if7yru6nw52
dir "C:\Users\Sean and Luann\AppData\Local\{066F66F2-32B4-4407-AC17-FB88FF06EBD9}" /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{62A95860-F05D-4F3A-98FE-DB7AB361FBBA}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{62A95860-F05D-4F3A-98FE-DB7AB361FBBA}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Here is the OTL log.
Claro is still interfering on my PC.

 

• Can you open FireFox, then type the following into the browser bar:
  • about:config
• Press ENTER.
• Choose the "I'll be careful I promise" option.
• In the Search: field, type in:
  • claro
• Then view the Preference Name column and copy the Preference names here for me to review, or post a screenshot if that is easier. http://take-a-screenshot.org/
  

 

Here's the SS

 

Right mouse click each of those values and select "Reset" from the menu.

 

When I do that and close Firefox properly and open it again, my homepage/tabs are all Claro-Search.com still. confusedconfusedcry:cry:cry:cry:cry:cry

 

I was hoping we wouldn't have to be so drastic in handling this but try this one next:

• Open FireFox, then type the following into the browser bar:
  • about:support
• Press ENTER.
• Look to your right to locate and press the "Reset FireFox" button.
• A little confirmation pop-up should appear, simply press "Reset FireFox" again.

Let me know if this helped at all.

 

thisisu! Finally cleared up!!! Wow... seriously. thank you. A MILLION times thank you. I really put you through the ringer and I'm sorry about that! I Was getting so worried we'd never get rid of it!!! Ahhhhh. FINALLY!! Some relief. Thank you again, thisisu. Seriously. Thank you...

I'm not sure if this is customary but is there anyway I can pay you specifically? Paypal account or something? What you just did for me, the amount of labor and such, would have cost me money anywhere else. I feel very guilty. Please, allow me the small pleasure of somehow repaying you?

 

You're welcome

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

I don't even have a Paypal account but thanks for the offer. Don't feel guilty, I'm glad I was able to help It is satisfying enough to me.

 

thisisu...I don't even know what to say.

It came back. It was cleared for almost the whole night and almost all of this morning. But before I went to bed I opened Firefox and my homepage was Claro search engine. Seriously, what a huge let down. I could've sworn resetting Firefox would've done it.


I'm sorry. What should we do now? God dammit...

 

Hello, sorry to hear that happened. Let me try to see what happened. Complete the below scans:

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Here you go

 

Here's the logs. Re-installed Firefox, I didn't even import the bookmarks yet and my homepage is still Claro. This seems serious... what are the steps now?

 

Code:

========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.

Ignore the above, they are just notes for us.

Can you double-check that the problem exists in Internet Explorer as well?

__

Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:regfind[/COLOR]
{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
*isearch*
[COLOR="DarkRed"]:filefind[/COLOR]
*claro*
[COLOR="DarkRed"]:folderfind[/COLOR]
Anti-phishing*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

Here's the SystemLook log.


IE has been running fine. There have been no traces of Claro on it or Chrome for that matter.

 

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\Users\Sean and Luann\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_info.claro-search.com_0.localstorage
C:\Users\Sean and Luann\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_info.claro-search.com_0.localstorage-journal
C:\Users\Sean and Luann\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_isearch.claro-search.com_0.localstorage
C:\Users\Sean and Luann\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_isearch.claro-search.com_0.localstorage-journal
C:\Users\Sean and Luann\AppData\Roaming\wklnhst.dat
C:\ProgramData\McAfee
C:\ProgramData\Norton
C:\ProgramData\Tarma Installer
C:\ProgramData\Browser Manager
C:\Windows\is-NJ7MA.exe
C:\Windows\is-NJ7MA.lst
c:\Windows\is-NJ7MA.msg
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"BrowserMngrDefaultScope"=-
[HKEY_USERS\S-1-5-21-1553210162-1582565319-2532465683-1000\Software\Microsoft\Internet Explorer\SearchScopes]
"BrowserMngrDefaultScope"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-1553210162-1582565319-2532465683-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

The log.

 

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Claro still present?

 

Waited til after MGTools to check for Claro on Firefox; still there.


Currently using Chrome for the time being.
Attached: MGtools log

 

The logs are here.

 

Ok. Sorry about all that.

Yes, my MalwareBytes is paid and licensed. Also, did you want me to run MGTools again before or after uninstalling AVG?

EDIT: And yes, I waited to boot my PC until MGTools was finished.

 

Well I uninstalled AVG fully before running MGTools yet again. Here's the log.

 

Here you go.

 

Nice Chaslang, so it was RelevantKnowledge that was regenerating the iClaro homepage? Latest runkeys look good

 

So I should re-install Firefox and try again?

 

Still there.

 

Can you complete these steps again.

 

Performed that step again.

Still there. Getting depressed now...:cry

 

Can you complete the SystemLook instructions here again?

By the way, do you know where you obtained this infection? If it was a specific website, can you create and attach a text file to your next message with the site that infected you?

 

I have no idea how or where I acquired Claro. I really don't visit many shady places. I do have one website where I watch episodes of shows I Can't get on TV and the website is usually full of pop-ups, but it doesn't ask me to download anything or change my settings.

www.watchseries.eu

Attached is the log.

 

We normally do not do this but since this type of hijack is becoming more prevalent and you are still having issues, I'm offering to remote into your computer and try to fix the problem (should be faster if I can see it first hand); if you are interested in this (no problem if you're not) download and install TeamViewer from here and attach YOUR TEAMVIEWER ID and PASSWORD in a text file. I'll remove the attachment once I have it.

I'll be around for a few hours (currently it is 2:16PM CST).